Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1579298
MD5:7dc7a8d2e9d44cae10b9b55b65585ddc
SHA1:3e78d38a9ce837926831ea27a0efb1a262877334
SHA256:efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0
Tags:exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Unusual Parent Process For Cmd.EXE
Sleep loop found (likely to delay execution)
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7DC7A8D2E9D44CAE10B9B55B65585DDC)
    • skotes.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 7DC7A8D2E9D44CAE10B9B55B65585DDC)
  • skotes.exe (PID: 5316 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 7DC7A8D2E9D44CAE10B9B55B65585DDC)
    • 0KGPkVX.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" MD5: 1C848C274240A7B5561550C4867C336F)
      • cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7752 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7832 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 3244 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7924 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 3448 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 1984 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 4916 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8028 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8104 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 1836 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 3496 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 2852 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8152 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 1016 cmdline: wmic cpu get ProcessorId,Name,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 1640 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 1988 cmdline: wmic csproduct get uuid,IdentifyingNumber,Name /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 2328 cmdline: C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3900 cmdline: wmic bios get SerialNumber,Name /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 1780 cmdline: C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6108 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 2896 cmdline: C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 4208 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 4812 cmdline: cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskhostw.exe (PID: 3484 cmdline: C:\Users\Public\Netstat\taskhostw.exe MD5: 1C848C274240A7B5561550C4867C336F)
          • cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6956 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • cmd.exe (PID: 6260 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6812 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • cmd.exe (PID: 512 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 8024 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 7832 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • cmd.exe (PID: 6328 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 5904 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 6036 cmdline: cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 6356 cmdline: taskkill /F /PID 7720 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • im2o0Q8.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe" MD5: F6AF9584B24DD2A354C1BF537DE92823)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_regiis.exe (PID: 7636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
    • c12cb864c6.exe (PID: 1740 cmdline: "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe" MD5: 4A09A81EBF7BEE536D365270FCB2F9AC)
    • 5b6f15dae8.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe" MD5: 7D259326E9642C8A13D30573DAFE3D90)
    • e7a505b613.exe (PID: 6940 cmdline: "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" MD5: BF56486B61F1A99182F133AC8A3937E6)
    • df1fc80896.exe (PID: 7292 cmdline: "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" MD5: 6573693C2C60CF961BCCC52212548798)
      • chrome.exe (PID: 1464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 1472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • 9d3c5f87fc.exe (PID: 8016 cmdline: "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" MD5: FD7AA6A3EB85D4E29403D5EC15D19029)
      • taskkill.exe (PID: 3960 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • acfd211374.exe (PID: 1808 cmdline: "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe" MD5: 46DFC30934FDF5265BB94682C9DF6CEF)
  • taskhostw.exe (PID: 7076 cmdline: "C:\Users\Public\Netstat\taskhostw.exe" MD5: 1C848C274240A7B5561550C4867C336F)
  • taskhostw.exe (PID: 6064 cmdline: "C:\Users\Public\Netstat\taskhostw.exe" MD5: 1C848C274240A7B5561550C4867C336F)
  • e7a505b613.exe (PID: 7264 cmdline: "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" MD5: BF56486B61F1A99182F133AC8A3937E6)
  • df1fc80896.exe (PID: 3896 cmdline: "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" MD5: 6573693C2C60CF961BCCC52212548798)
  • 9d3c5f87fc.exe (PID: 6764 cmdline: "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" MD5: FD7AA6A3EB85D4E29403D5EC15D19029)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.890000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              1.2.skotes.exe.c00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution from Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Netstat\taskhostw.exe, CommandLine: C:\Users\Public\Netstat\taskhostw.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\taskhostw.exe, NewProcessName: C:\Users\Public\Netstat\taskhostw.exe, OriginalFileName: C:\Users\Public\Netstat\taskhostw.exe, ParentCommandLine: cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4812, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Netstat\taskhostw.exe, ProcessId: 3484, ProcessName: taskhostw.exe
                Sigma detected: Files With System Process Name In Unsuspected Locations
                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe, ProcessId: 7720, TargetFilename: C:\Users\Public\Netstat\taskhostw.exe
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7a505b613.exe
                Sigma detected: Parent in Public Folder Suspicious Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "tasklist", CommandLine: C:\Windows\system32\cmd.exe /c "tasklist", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\Public\Netstat\taskhostw.exe, ParentImage: C:\Users\Public\Netstat\taskhostw.exe, ParentProcessId: 3484, ParentProcessName: taskhostw.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "tasklist", ProcessId: 6804, ProcessName: cmd.exe
                Sigma detected: Browser Started with Remote Debugging
                Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe, ParentProcessId: 7292, ParentProcessName: df1fc80896.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 1464, ProcessName: chrome.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 5316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7a505b613.exe
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1780, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe", ProcessId: 6108, ProcessName: reg.exe
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe", CommandLine: C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe, ParentProcessId: 7720, ParentProcessName: 0KGPkVX.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe", ProcessId: 1780, ProcessName: cmd.exe
                Sigma detected: Unusual Parent Process For Cmd.EXE
                Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c "tasklist", CommandLine: C:\Windows\system32\cmd.exe /c "tasklist", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\Public\Netstat\taskhostw.exe, ParentImage: C:\Users\Public\Netstat\taskhostw.exe, ParentProcessId: 3484, ParentProcessName: taskhostw.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "tasklist", ProcessId: 6804, ProcessName: cmd.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeVirustotal: Detection: 75%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 55%
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 58%Perma Link
                Source: file.exeReversingLabs: Detection: 55%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                Source: C:\Users\Public\Netstat\taskhostw.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_15fd487e-e
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526550207.00000199E4323000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780465677.00000237B0DE2000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542469364.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805781398.00000237B0E20000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2806761498.00000237B1999000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 0KGPkVX.exe, 00000007.00000003.2525035843.00000199E43D0000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E466D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524685265.00000199E432D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525067213.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2771030188.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775456070.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2772272854.00000237B0DF0000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775822441.00000237B0880000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2842911347.00000237B10E4000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775899864.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 0KGPkVX.exe, 00000007.00000003.2530770935.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530896172.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2791564295.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538232700.00000199E45B9000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802724506.00000237B0E18000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803085246.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802101594.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803237022.00000237B0E1F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525811462.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2778149525.00000237B0DE1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 0KGPkVX.exe, 00000007.00000003.2537574628.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541787031.00000199E4950000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2537620070.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541827507.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804881787.00000237B1370000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804934104.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804491302.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2801212396.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: number of queries: 1001
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
                Source: chrome.exeMemory has grown: Private usage: 0MB later: 29MB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089E0C0 recv,recv,recv,recv,0_2_0089E0C0
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805733391.00000237B1143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
                Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://notepoud-plus.cn.com/error.php?ref=
                Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://notepoud-plus.cn.com/validation.php?token=1dvdnavds8hsd98chda9hcdsahcd8r43bjb4b3kjbr4b3jk&ref
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: 0KGPkVX.exe, 00000007.00000003.2713256884.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539293436.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586700700.00000199E4356000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536867345.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541346497.00000199E4342000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587259179.00000199E4662000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E4350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                Source: aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3046409300.000000000285D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002858000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
                Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/R
                Source: aspnet_regiis.exe, 0000000A.00000003.2688751763.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687985373.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2690577709.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687785737.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2688092488.0000000004FAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2689610573.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/The
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/YJZ
                Source: aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2634798240.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2873028429.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
                Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api:
                Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiF
                Source: aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apil
                Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiliteR
                Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apip~
                Source: aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api~5
                Source: aspnet_regiis.exe, 0000000A.00000003.2609684175.000000000281D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/ft
                Source: aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/lJO
                Source: aspnet_regiis.exe, 0000000A.00000003.3036125237.0000000004FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
                Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2730250385.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2725233317.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apiR
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
                Source: aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                Source: aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005003000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: aspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.python.org/psf/license/
                Source: cmd.exeProcess created: 43

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: skotes.exe.0.drStatic PE information: section name:
                Source: skotes.exe.0.drStatic PE information: section name: .idata
                Source: random[1].exe.5.drStatic PE information: section name:
                Source: random[1].exe.5.drStatic PE information: section name: .idata
                Source: random[1].exe.5.drStatic PE information: section name:
                Source: c12cb864c6.exe.5.drStatic PE information: section name:
                Source: c12cb864c6.exe.5.drStatic PE information: section name: .idata
                Source: c12cb864c6.exe.5.drStatic PE information: section name:
                Source: random[1].exe0.5.drStatic PE information: section name:
                Source: random[1].exe0.5.drStatic PE information: section name: .idata
                Source: random[1].exe0.5.drStatic PE information: section name:
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name:
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: .idata
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name:
                Source: random[1].exe1.5.drStatic PE information: section name:
                Source: random[1].exe1.5.drStatic PE information: section name: .idata
                Source: random[1].exe1.5.drStatic PE information: section name:
                Source: e7a505b613.exe.5.drStatic PE information: section name:
                Source: e7a505b613.exe.5.drStatic PE information: section name: .idata
                Source: e7a505b613.exe.5.drStatic PE information: section name:
                Source: random[1].exe2.5.drStatic PE information: section name:
                Source: random[1].exe2.5.drStatic PE information: section name: .idata
                Source: df1fc80896.exe.5.drStatic PE information: section name:
                Source: df1fc80896.exe.5.drStatic PE information: section name: .idata
                Source: random[2].exe1.5.drStatic PE information: section name:
                Source: random[2].exe1.5.drStatic PE information: section name: .idata
                Source: acfd211374.exe.5.drStatic PE information: section name:
                Source: acfd211374.exe.5.drStatic PE information: section name: .idata
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: 72C40000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C364500 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,CreateProcessW,NtGetContextThread,NtWriteVirtualMemory,NtReadVirtualMemory,NtSetContextThread,NtResumeThread,CloseHandle,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,NtGetContextThread,8_2_6C364500
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3636A0 GetModuleHandleW,NtQueryInformationProcess,8_2_6C3636A0
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D78BB0_2_008D78BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D70490_2_008D7049
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D88600_2_008D8860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D31A80_2_008D31A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00894B300_2_00894B30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00894DE00_2_00894DE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2D100_2_008D2D10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D779B0_2_008D779B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C7F360_2_008C7F36
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C478BB1_2_00C478BB
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C470491_2_00C47049
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C488601_2_00C48860
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C431A81_2_00C431A8
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C04B301_2_00C04B30
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C04DE01_2_00C04DE0
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C42D101_2_00C42D10
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C4779B1_2_00C4779B
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C37F361_2_00C37F36
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3645008_2_6C364500
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3636A08_2_6C3636A0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C35DF308_2_6C35DF30
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3558308_2_6C355830
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37F8308_2_6C37F830
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3720308_2_6C372030
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3728208_2_6C372820
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3510108_2_6C351010
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3788108_2_6C378810
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38CC108_2_6C38CC10
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38F0008_2_6C38F000
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3910008_2_6C391000
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3718708_2_6C371870
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C373C608_2_6C373C60
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3708408_2_6C370840
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3884408_2_6C388440
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C36E8808_2_6C36E880
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C378CF08_2_6C378CF0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3824E08_2_6C3824E0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38E4D08_2_6C38E4D0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37B8C08_2_6C37B8C0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3701308_2_6C370130
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3755108_2_6C375510
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3775008_2_6C377500
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37CD608_2_6C37CD60
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37A5508_2_6C37A550
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C35D1408_2_6C35D140
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37BDB08_2_6C37BDB0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C36D9A08_2_6C36D9A0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37ADA08_2_6C37ADA0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3761908_2_6C376190
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37E9F08_2_6C37E9F0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3801F08_2_6C3801F0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3791E08_2_6C3791E0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C376E308_2_6C376E30
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C381E208_2_6C381E20
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3846208_2_6C384620
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38AA108_2_6C38AA10
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37DA008_2_6C37DA00
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C389E008_2_6C389E00
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3906008_2_6C390600
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C388A708_2_6C388A70
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C36C6608_2_6C36C660
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3742608_2_6C374260
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C377E608_2_6C377E60
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3782608_2_6C378260
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3712908_2_6C371290
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37EE808_2_6C37EE80
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C370EF08_2_6C370EF0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3612D08_2_6C3612D0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C36EED08_2_6C36EED0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C389AD08_2_6C389AD0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38F6C08_2_6C38F6C0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38D7208_2_6C38D720
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3767008_2_6C376700
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C380F708_2_6C380F70
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C36DF608_2_6C36DF60
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C3733608_2_6C373360
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C386B508_2_6C386B50
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38DFB08_2_6C38DFB0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C385FB08_2_6C385FB0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37DBA08_2_6C37DBA0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C381BA08_2_6C381BA0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C375B908_2_6C375B90
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C38C3F08_2_6C38C3F0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C35DBE08_2_6C35DBE0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37E3E08_2_6C37E3E0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37CFE08_2_6C37CFE0
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C37FBD08_2_6C37FBD0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008A80C0 appears 130 times
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00C180C0 appears 130 times
                Source: 0KGPkVX[1].exe.5.drStatic PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                Source: 0KGPkVX.exe.5.drStatic PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                Source: taskhostw.exe.7.drStatic PE information: Resource name: PYTHON311.DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: random[1].exe.5.drStatic PE information: Section: cfpxwuqa ZLIB complexity 0.9943564062056234
                Source: c12cb864c6.exe.5.drStatic PE information: Section: cfpxwuqa ZLIB complexity 0.9943564062056234
                Source: random[1].exe0.5.drStatic PE information: Section: hryplxhh ZLIB complexity 0.990152970564156
                Source: 5b6f15dae8.exe.5.drStatic PE information: Section: hryplxhh ZLIB complexity 0.990152970564156
                Source: random[1].exe1.5.drStatic PE information: Section: ZLIB complexity 0.997418129280822
                Source: random[1].exe1.5.drStatic PE information: Section: cgayxfzg ZLIB complexity 0.9948199209199267
                Source: e7a505b613.exe.5.drStatic PE information: Section: ZLIB complexity 0.997418129280822
                Source: e7a505b613.exe.5.drStatic PE information: Section: cgayxfzg ZLIB complexity 0.9948199209199267
                Source: random[1].exe.5.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: c12cb864c6.exe.5.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@179/28@0/16
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:64:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
                Source: C:\Users\Public\Netstat\taskhostw.exeMutant created: \Sessions\1\BaseNamedObjects\T
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
                Source: C:\Users\Public\Netstat\taskhostw.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                Source: C:\Users\Public\Netstat\taskhostw.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSystem information queried: HandleInformation
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId, Name, SerialNumber FROM WIN32_PROCESSOR
                Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 7720)
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: aspnet_regiis.exe, 0000000A.00000003.2638750800.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639492468.0000000004FA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeVirustotal: Detection: 58%
                Source: file.exeReversingLabs: Detection: 55%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: e7a505b613.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe"
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: unknownProcess created: C:\Users\Public\Netstat\taskhostw.exe "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: unknownProcess created: C:\Users\Public\Netstat\taskhostw.exe "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe"
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libffi-8.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: libcrypto-1_1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: napinsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: pnrpnsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: wshbth.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: winrnr.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: napinsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: pnrpnsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: wshbth.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: winrnr.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: dlnashext.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: wpdshext.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: apphelp.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: version.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: vcruntime140.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libffi-8.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: iphlpapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: mswsock.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: rasadhlp.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: sspicli.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: uxtheme.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: ncrypt.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: ntasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: dpapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: msimg32.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: msvcr100.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: version.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: vcruntime140.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libffi-8.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: iphlpapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: mswsock.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: rasadhlp.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: version.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: vcruntime140.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libffi-8.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: iphlpapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: libcrypto-1_1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: msasn1.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: mswsock.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: rasadhlp.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\Public\Netstat\taskhostw.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                Source: file.exeStatic file information: File size 3185152 > 1048576
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: file.exeStatic PE information: Raw size of cqjlvrjj is bigger than: 0x100000 < 0x29dc00
                Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 0KGPkVX.exe, 00000007.00000003.2526489918.00000199E25E0000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2526550207.00000199E4323000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780465677.00000237B0DE2000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2780286086.00000237AEF7F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 0KGPkVX.exe, 00000007.00000003.2542198104.00000199E4E11000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2542469364.00000199E458A000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2805781398.00000237B0E20000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2806761498.00000237B1999000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 0KGPkVX.exe, 00000007.00000003.2525035843.00000199E43D0000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586760714.00000199E4661000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E466D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2586608112.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2587175748.00000199E46BC000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524685265.00000199E432D000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524618218.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2524906329.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525067213.00000199E438F000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2771030188.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775456070.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2772272854.00000237B0DF0000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775822441.00000237B0880000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2842911347.00000237B10E4000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2775899864.00000237B0E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 0KGPkVX.exe, 00000007.00000003.2530770935.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2532079968.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530829929.00000199E4579000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2530896172.00000199E4556000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2791564295.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4669000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540140145.00000199E46BD000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804039261.00000237B1137000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 0KGPkVX.exe, 00000007.00000003.2539128640.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538232700.00000199E45B9000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2538033409.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802724506.00000237B0E18000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803085246.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2802101594.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2803237022.00000237B0E1F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 0KGPkVX.exe, 00000007.00000003.2525889530.00000199E4313000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2525811462.00000199E4332000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2778149525.00000237B0DE1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmp
                Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 0KGPkVX.exe, 00000007.00000003.2537574628.00000199E4800000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4653000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541787031.00000199E4950000.00000004.00001000.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2536359962.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2540783735.00000199E4674000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2537620070.00000199E4692000.00000004.00000020.00020000.00000000.sdmp, 0KGPkVX.exe, 00000007.00000003.2541827507.00000199E46B3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804881787.00000237B1370000.00000004.00001000.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804934104.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2804491302.00000237B10F3000.00000004.00000020.00020000.00000000.sdmp, taskhostw.exe, 00000036.00000003.2801212396.00000237B08B0000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.890000.0.unpack :EW;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW;
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 1.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cqjlvrjj:EW;fvbffgym:EW;.taggant:EW;
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeUnpacked PE file: 65.2.e7a505b613.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cgayxfzg:EW;rvxmyzlm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cgayxfzg:EW;rvxmyzlm:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: random[1].exe.5.drStatic PE information: real checksum: 0x4491e0 should be: 0x43fa47
                Source: random[1].exe1.5.drStatic PE information: real checksum: 0x1cb624 should be: 0x1ca30e
                Source: im2o0Q8[1].exe.5.drStatic PE information: real checksum: 0x0 should be: 0xac353
                Source: random[1].exe2.5.drStatic PE information: real checksum: 0x2d3d86 should be: 0x2c99cd
                Source: acfd211374.exe.5.drStatic PE information: real checksum: 0x2a9f9e should be: 0x2a7834
                Source: 5b6f15dae8.exe.5.drStatic PE information: real checksum: 0x1dd989 should be: 0x1e226e
                Source: df1fc80896.exe.5.drStatic PE information: real checksum: 0x2d3d86 should be: 0x2c99cd
                Source: gdi32.dll.8.drStatic PE information: real checksum: 0x0 should be: 0xa0f55
                Source: e7a505b613.exe.5.drStatic PE information: real checksum: 0x1cb624 should be: 0x1ca30e
                Source: c12cb864c6.exe.5.drStatic PE information: real checksum: 0x4491e0 should be: 0x43fa47
                Source: 0KGPkVX[1].exe.5.drStatic PE information: real checksum: 0x0 should be: 0x8bdec1
                Source: random[2].exe1.5.drStatic PE information: real checksum: 0x2a9f9e should be: 0x2a7834
                Source: file.exeStatic PE information: real checksum: 0x30c545 should be: 0x317923
                Source: skotes.exe.0.drStatic PE information: real checksum: 0x30c545 should be: 0x317923
                Source: 0KGPkVX.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x8bdec1
                Source: random[1].exe0.5.drStatic PE information: real checksum: 0x1dd989 should be: 0x1e226e
                Source: taskhostw.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x8bdec1
                Source: im2o0Q8.exe.5.drStatic PE information: real checksum: 0x0 should be: 0xac353
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name: cqjlvrjj
                Source: file.exeStatic PE information: section name: fvbffgym
                Source: file.exeStatic PE information: section name: .taggant
                Source: skotes.exe.0.drStatic PE information: section name:
                Source: skotes.exe.0.drStatic PE information: section name: .idata
                Source: skotes.exe.0.drStatic PE information: section name: cqjlvrjj
                Source: skotes.exe.0.drStatic PE information: section name: fvbffgym
                Source: skotes.exe.0.drStatic PE information: section name: .taggant
                Source: random[1].exe.5.drStatic PE information: section name:
                Source: random[1].exe.5.drStatic PE information: section name: .idata
                Source: random[1].exe.5.drStatic PE information: section name:
                Source: random[1].exe.5.drStatic PE information: section name: cfpxwuqa
                Source: random[1].exe.5.drStatic PE information: section name: eexnemuq
                Source: random[1].exe.5.drStatic PE information: section name: .taggant
                Source: c12cb864c6.exe.5.drStatic PE information: section name:
                Source: c12cb864c6.exe.5.drStatic PE information: section name: .idata
                Source: c12cb864c6.exe.5.drStatic PE information: section name:
                Source: c12cb864c6.exe.5.drStatic PE information: section name: cfpxwuqa
                Source: c12cb864c6.exe.5.drStatic PE information: section name: eexnemuq
                Source: c12cb864c6.exe.5.drStatic PE information: section name: .taggant
                Source: random[1].exe0.5.drStatic PE information: section name:
                Source: random[1].exe0.5.drStatic PE information: section name: .idata
                Source: random[1].exe0.5.drStatic PE information: section name:
                Source: random[1].exe0.5.drStatic PE information: section name: hryplxhh
                Source: random[1].exe0.5.drStatic PE information: section name: kfhnvius
                Source: random[1].exe0.5.drStatic PE information: section name: .taggant
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name:
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: .idata
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name:
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: hryplxhh
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: kfhnvius
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: .taggant
                Source: random[1].exe1.5.drStatic PE information: section name:
                Source: random[1].exe1.5.drStatic PE information: section name: .idata
                Source: random[1].exe1.5.drStatic PE information: section name:
                Source: random[1].exe1.5.drStatic PE information: section name: cgayxfzg
                Source: random[1].exe1.5.drStatic PE information: section name: rvxmyzlm
                Source: random[1].exe1.5.drStatic PE information: section name: .taggant
                Source: e7a505b613.exe.5.drStatic PE information: section name:
                Source: e7a505b613.exe.5.drStatic PE information: section name: .idata
                Source: e7a505b613.exe.5.drStatic PE information: section name:
                Source: e7a505b613.exe.5.drStatic PE information: section name: cgayxfzg
                Source: e7a505b613.exe.5.drStatic PE information: section name: rvxmyzlm
                Source: e7a505b613.exe.5.drStatic PE information: section name: .taggant
                Source: random[1].exe2.5.drStatic PE information: section name:
                Source: random[1].exe2.5.drStatic PE information: section name: .idata
                Source: random[1].exe2.5.drStatic PE information: section name: prrpsiqo
                Source: random[1].exe2.5.drStatic PE information: section name: wevongkt
                Source: random[1].exe2.5.drStatic PE information: section name: .taggant
                Source: df1fc80896.exe.5.drStatic PE information: section name:
                Source: df1fc80896.exe.5.drStatic PE information: section name: .idata
                Source: df1fc80896.exe.5.drStatic PE information: section name: prrpsiqo
                Source: df1fc80896.exe.5.drStatic PE information: section name: wevongkt
                Source: df1fc80896.exe.5.drStatic PE information: section name: .taggant
                Source: random[2].exe1.5.drStatic PE information: section name:
                Source: random[2].exe1.5.drStatic PE information: section name: .idata
                Source: random[2].exe1.5.drStatic PE information: section name: juuuzidd
                Source: random[2].exe1.5.drStatic PE information: section name: vjgjjgcb
                Source: random[2].exe1.5.drStatic PE information: section name: .taggant
                Source: acfd211374.exe.5.drStatic PE information: section name:
                Source: acfd211374.exe.5.drStatic PE information: section name: .idata
                Source: acfd211374.exe.5.drStatic PE information: section name: juuuzidd
                Source: acfd211374.exe.5.drStatic PE information: section name: vjgjjgcb
                Source: acfd211374.exe.5.drStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AD91C push ecx; ret 0_2_008AD92F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A1359 push es; ret 0_2_008A135A
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C1D91C push ecx; ret 1_2_00C1D92F
                Source: file.exeStatic PE information: section name: entropy: 7.110293266300148
                Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.110293266300148
                Source: im2o0Q8[1].exe.5.drStatic PE information: section name: .text entropy: 7.109162295570626
                Source: im2o0Q8.exe.5.drStatic PE information: section name: .text entropy: 7.109162295570626
                Source: random[1].exe.5.drStatic PE information: section name: cfpxwuqa entropy: 7.955414645153359
                Source: c12cb864c6.exe.5.drStatic PE information: section name: cfpxwuqa entropy: 7.955414645153359
                Source: random[1].exe0.5.drStatic PE information: section name: hryplxhh entropy: 7.948090849881547
                Source: 5b6f15dae8.exe.5.drStatic PE information: section name: hryplxhh entropy: 7.948090849881547
                Source: random[1].exe1.5.drStatic PE information: section name: entropy: 7.985055445795539
                Source: random[1].exe1.5.drStatic PE information: section name: cgayxfzg entropy: 7.954843030921147
                Source: e7a505b613.exe.5.drStatic PE information: section name: entropy: 7.985055445795539
                Source: e7a505b613.exe.5.drStatic PE information: section name: cgayxfzg entropy: 7.954843030921147

                Persistence and Installation Behavior

                barindex
                Uses cmd line tools excessively to alter registry or file data
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile created: C:\Users\Public\Netstat\taskhostw.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exeJump to behavior
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: RegmonClass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: FilemonClass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: Regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: Filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e7a505b613.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run df1fc80896.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run acfd211374.exeJump to behavior
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Updater
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-11703
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-9687
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6FB17 second address: A6FB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D8DA second address: A5D8DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D8DE second address: A5D8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6EAA0 second address: A6EABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6EC60 second address: A6EC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F1EF second address: A6F1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9D6D14BEA6h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F1FA second address: A6F200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F200 second address: A6F204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F204 second address: A6F208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F208 second address: A6F220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F9D6D14BEACh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F220 second address: A6F22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007F9D6D536296h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71C5B second address: A71C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71CBD second address: A71CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71D4D second address: A71D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71D52 second address: A71D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D53629Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 0AE38522h 0x00000013 mov dl, A4h 0x00000015 mov dl, C9h 0x00000017 lea ebx, dword ptr [ebp+12446B48h] 0x0000001d movzx esi, di 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 push edi 0x00000025 pop edi 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71D7E second address: A71D83 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71F32 second address: A71F50 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F9D6D536298h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F9D6D536298h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A720A3 second address: A720AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90661 second address: A9066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9066A second address: A90676 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D14BEAEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90676 second address: A9069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F9D6D53629Ah 0x0000000b jmp 00007F9D6D5362A5h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9069B second address: A9069F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9094E second address: A90981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F9D6D5362A8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90981 second address: A90998 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D6D14BEB2h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90998 second address: A909D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D536296h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9D6D5362A2h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007F9D6D5362A7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A909D5 second address: A909E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F9D6D14BEA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90F74 second address: A90F7E instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91241 second address: A91245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A916A4 second address: A916A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A916A8 second address: A916B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85626 second address: A8562A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8562A second address: A85630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85630 second address: A8563B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F9D6D536296h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A91FF6 second address: A91FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9214B second address: A92164 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Fh 0x00000007 jo 00007F9D6D536296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A922E6 second address: A922FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A922FD second address: A92316 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9D6D536296h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F9D6D53629Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A92316 second address: A9233A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEB9h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A99E second address: A9A9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A9A2 second address: A9A9A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A9A6 second address: A9A9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65EF1 second address: A65EFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F9D6D14BEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65EFC second address: A65F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E4C8 second address: A9E4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E4CC second address: A9E4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E7D5 second address: A9E7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E917 second address: A9E91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E91D second address: A9E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E921 second address: A9E932 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D6D536296h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E932 second address: A9E93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9D6D14BEA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E93E second address: A9E958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9D6D5362A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9EEE3 second address: A9EEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0BF5 second address: AA0C0A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D6D536298h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C0A second address: AA0C61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F9D6D14BEB3h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F9D6D14BEAEh 0x0000001a pop eax 0x0000001b mov esi, ebx 0x0000001d call 00007F9D6D14BEA9h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C61 second address: AA0C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C65 second address: AA0C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C6B second address: AA0C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F9D6D53629Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C85 second address: AA0C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C8B second address: AA0C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0C8F second address: AA0CB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F9D6D14BEB4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0CB6 second address: AA0CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0CBB second address: AA0CC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1269 second address: AA126D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA126D second address: AA1273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1273 second address: AA12A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F9D6D5362A3h 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA18F8 second address: AA18FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA18FC second address: AA1900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1900 second address: AA1906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1906 second address: AA191D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA191D second address: AA1929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1929 second address: AA1990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D6D536296h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007F9D6D536296h 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 popad 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F9D6D536298h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 je 00007F9D6D53629Ch 0x0000003a sub edi, 722A0CF8h 0x00000040 nop 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9D6D5362A0h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1990 second address: AA1994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1994 second address: AA19A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1B21 second address: AA1B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2E75 second address: AA2E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2E7D second address: AA2E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA48E7 second address: AA48EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA48EB second address: AA48F5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA48F5 second address: AA4958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007F9D6D536296h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 jmp 00007F9D6D53629Bh 0x00000015 pop ebx 0x00000016 nop 0x00000017 jbe 00007F9D6D536298h 0x0000001d mov esi, eax 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F9D6D536298h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b mov dword ptr [ebp+12468369h], ecx 0x00000041 mov edi, dword ptr [ebp+124407ADh] 0x00000047 push 00000000h 0x00000049 add di, 14DEh 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4958 second address: AA495C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA495C second address: AA4962 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4962 second address: AA4967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5EFE second address: AA5F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5F02 second address: AA5F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9D6D14BEA6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5CDB second address: AA5CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A3A second address: AA6AC2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D14BEB2h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 jmp 00007F9D6D14BEB3h 0x00000017 popad 0x00000018 nop 0x00000019 mov edi, dword ptr [ebp+122D34A8h] 0x0000001f mov dword ptr [ebp+122D2F8Eh], ecx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F9D6D14BEA8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov edi, dword ptr [ebp+122D3C2Ah] 0x00000047 add di, 8BDAh 0x0000004c push 00000000h 0x0000004e mov dword ptr [ebp+12468FEEh], edx 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 jnp 00007F9D6D14BEACh 0x0000005c pushad 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6AC2 second address: AA6AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9D6D53629Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6AD8 second address: AA6ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6ADE second address: AA6AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6AE2 second address: AA6AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA7550 second address: AA7556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA72DD second address: AA72E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA6FA second address: AAA728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 movsx edi, dx 0x0000000b push 00000000h 0x0000000d jo 00007F9D6D536299h 0x00000013 add bh, 00000053h 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D38C5h], eax 0x0000001e mov ebx, 6B421FE5h 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007F9D6D536296h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA728 second address: AAA72E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB629 second address: AAB631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA87E second address: AAA883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB631 second address: AAB635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB635 second address: AAB64C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA94D second address: AAA966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA966 second address: AAA96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC8FA second address: AAC900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD615 second address: AAD619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA96C second address: AAA978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD619 second address: AAD61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA978 second address: AAA97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA97F second address: AAA989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9D6D14BEA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE847 second address: AAE84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE84B second address: AAE851 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB16E6 second address: AB16F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9D6D536296h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB16F1 second address: AB170F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9D6D14BEB3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB07EE second address: AB07F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB07F2 second address: AB07F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB07F6 second address: AB07FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB07FC second address: AB0801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB18B1 second address: AB18B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB18B5 second address: AB18BF instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB18BF second address: AB18D6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D6D53629Ch 0x00000008 je 00007F9D6D536296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB18D6 second address: AB18DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3831 second address: AB3861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F9D6D536298h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jnp 00007F9D6D536296h 0x0000001b jmp 00007F9D6D53629Ch 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB18DC second address: AB196D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9D6D14BEA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 7CD38131h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007F9D6D14BEABh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F9D6D14BEA8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d jmp 00007F9D6D14BEB1h 0x00000042 mov dword ptr [ebp+122D1CDFh], ebx 0x00000048 mov eax, dword ptr [ebp+122D069Dh] 0x0000004e jno 00007F9D6D14BEB2h 0x00000054 push FFFFFFFFh 0x00000056 mov di, A5DBh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F9D6D14BEAAh 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB489D second address: AB48FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F9D6D5362A3h 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007F9D6D5362A3h 0x00000012 jmp 00007F9D6D53629Dh 0x00000017 nop 0x00000018 jbe 00007F9D6D5362A5h 0x0000001e jmp 00007F9D6D53629Fh 0x00000023 push 00000000h 0x00000025 movzx ebx, ax 0x00000028 mov dword ptr [ebp+122D38EEh], edi 0x0000002e push 00000000h 0x00000030 or di, AA72h 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jc 00007F9D6D536296h 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5A14 second address: AB5A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5A18 second address: AB5A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F9D6D5362A0h 0x0000000e je 00007F9D6D53629Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4A55 second address: AB4A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7848 second address: AB78BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F9D6D5362A6h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D2C8Fh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F9D6D536298h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F9D6D536298h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov bh, 14h 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F9D6D53629Eh 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB69E6 second address: AB69F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9D6D14BEA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F9D6D14BEA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB69F9 second address: AB69FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6B06 second address: AB6B10 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7A57 second address: AB7A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8AE0 second address: AB8AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC25A2 second address: AC25AC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2701 second address: AC2705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2705 second address: AC2725 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9D6D536296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F9D6D53629Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F9D6D536296h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2871 second address: AC288C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC288C second address: AC28A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC28A5 second address: AC28C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9D6D14BEA6h 0x0000000a jmp 00007F9D6D14BEB4h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC28C3 second address: AC28E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2A1D second address: AC2A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2A23 second address: AC2A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F9D6D53629Eh 0x0000000e jmp 00007F9D6D53629Ch 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60D9F second address: A60DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F9D6D14BEA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60DA9 second address: A60DF6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D6D536296h 0x00000008 jmp 00007F9D6D53629Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F9D6D5362A0h 0x00000015 js 00007F9D6D536296h 0x0000001b jmp 00007F9D6D5362A2h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push ebx 0x00000024 push edi 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 pushad 0x00000028 popad 0x00000029 pop edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC783B second address: AC7845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D14BEA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9FC1 second address: AC9FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9FC7 second address: AC9FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA0BE second address: ACA0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFD8E second address: ACFD9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F9D6D14BEA6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFD9A second address: ACFDBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F9D6D5362A7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACEAC2 second address: ACEAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a push edi 0x0000000b jne 00007F9D6D14BEAEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF094 second address: ACF09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF09C second address: ACF0A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF0A0 second address: ACF0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF2F3 second address: ACF304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF304 second address: ACF32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jc 00007F9D6D536296h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF32A second address: ACF347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF347 second address: ACF37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F9D6D53629Ch 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFA2F second address: ACFA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D14BEB5h 0x00000012 jmp 00007F9D6D14BEB3h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFA64 second address: ACFA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACFA68 second address: ACFA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA87C8 second address: AA87CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA87CE second address: A85626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F9D6D14BEB9h 0x00000010 xor edi, 0CD855E5h 0x00000016 pop edi 0x00000017 jmp 00007F9D6D14BEB0h 0x0000001c lea eax, dword ptr [ebp+1247D4E0h] 0x00000022 jmp 00007F9D6D14BEAEh 0x00000027 push eax 0x00000028 jns 00007F9D6D14BEBBh 0x0000002e mov dword ptr [esp], eax 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F9D6D14BEA8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b jmp 00007F9D6D14BEABh 0x00000050 call dword ptr [ebp+1244066Dh] 0x00000056 jne 00007F9D6D14BEACh 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8DC9 second address: AA8E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F9D6D5362A3h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jns 00007F9D6D5362B0h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 pop eax 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8E28 second address: AA8E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8E2E second address: AA8E4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F9D6D536296h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9028 second address: AA902C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA902C second address: AA9039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9039 second address: AA903D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA903D second address: AA9060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jng 00007F9D6D536296h 0x0000000d pop ebx 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 jmp 00007F9D6D53629Ah 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9060 second address: AA9066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9066 second address: AA906A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90DB second address: AA90DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90DF second address: AA90F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F9D6D536296h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90F1 second address: AA90F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90F7 second address: AA90FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90FC second address: AA9136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c jno 00007F9D6D14BEA8h 0x00000012 pop esi 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edi 0x00000016 jmp 00007F9D6D14BEB9h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9708 second address: AA9712 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D53629Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA99D5 second address: AA99DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9AF2 second address: AA9AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9AF6 second address: AA9AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD4976 second address: AD497D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD497D second address: AD4989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9D6D14BEA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD4989 second address: AD49B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007F9D6D5362B6h 0x0000000c pushad 0x0000000d jmp 00007F9D6D5362A6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD4DCD second address: AD4DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD4DD2 second address: AD4DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD4DDA second address: AD4DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A367 second address: A5A371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9D6D536296h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9EAC second address: AD9EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9EB2 second address: AD9EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F9D6D536296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9EC3 second address: AD9EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA26A second address: ADA274 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA274 second address: ADA290 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007F9D6D14BEA8h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD74F second address: ADD753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A696FA second address: A69704 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69704 second address: A6971C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F9D6D5362A2h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6971C second address: A69724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69724 second address: A69728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69728 second address: A6972C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6972C second address: A69732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69732 second address: A69771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F9D6D14BEB7h 0x0000000f jmp 00007F9D6D14BEADh 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 jmp 00007F9D6D14BEAAh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE683D second address: AE6843 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6843 second address: AE6889 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BECDh 0x00000008 jmp 00007F9D6D14BEB2h 0x0000000d jmp 00007F9D6D14BEB5h 0x00000012 pushad 0x00000013 jmp 00007F9D6D14BEB4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6889 second address: AE68BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F9D6D5362A8h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F9D6D5362ACh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F9D6D536296h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE68BB second address: AE68C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6B1E second address: AE6B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE70D3 second address: AE70E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jnl 00007F9D6D14BEA6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA410 second address: AEA416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA567 second address: AEA56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA6E4 second address: AEA6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AECECE second address: AECEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB0h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE62E second address: AEE63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F9D6D536296h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE63F second address: AEE675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB5h 0x00000007 jmp 00007F9D6D14BEB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE675 second address: AEE68D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F9D6D53629Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF23A1 second address: AF23BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF23BD second address: AF23E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D536296h 0x00000008 jmp 00007F9D6D5362A1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007F9D6D5362B4h 0x00000017 js 00007F9D6D53629Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF23E8 second address: AF23F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF23F0 second address: AF23F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1C4C second address: AF1C6E instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jg 00007F9D6D14BEACh 0x00000016 jp 00007F9D6D14BEA6h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF20BE second address: AF20DE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D5362AAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF65C2 second address: AF65C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF65C8 second address: AF65F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F9D6D5362A9h 0x0000000e pop edi 0x0000000f jmp 00007F9D6D53629Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6760 second address: AF678D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9D6D14BEA6h 0x0000000a jng 00007F9D6D14BEA6h 0x00000010 popad 0x00000011 pushad 0x00000012 jc 00007F9D6D14BEACh 0x00000018 jo 00007F9D6D14BEA6h 0x0000001e pushad 0x0000001f jne 00007F9D6D14BEA6h 0x00000025 push edi 0x00000026 pop edi 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF68CF second address: AF68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B73 second address: AF6B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B79 second address: AF6B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B89 second address: AF6B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B8F second address: AF6B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6B94 second address: AF6B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB44B second address: AFB450 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB59F second address: AFB5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEAFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB5B4 second address: AFB5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB5B9 second address: AFB5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB5BF second address: AFB5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB5C3 second address: AFB5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB76D second address: AFB771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB771 second address: AFB78A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F9D6D14BEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F9D6D14BEA6h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB9DA second address: AFB9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB9F2 second address: AFBA0E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D6D14BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D14BEB0h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFBA0E second address: AFBA14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9582 second address: AA9587 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9587 second address: AA9602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a xor edx, 0AA1ECF2h 0x00000010 mov edx, dword ptr [ebp+1244229Eh] 0x00000016 mov ebx, dword ptr [ebp+1247D51Fh] 0x0000001c sub dx, 4439h 0x00000021 add eax, ebx 0x00000023 jmp 00007F9D6D53629Fh 0x00000028 push eax 0x00000029 jmp 00007F9D6D53629Dh 0x0000002e mov dword ptr [esp], eax 0x00000031 or dword ptr [ebp+124405F7h], ebx 0x00000037 push 00000004h 0x00000039 nop 0x0000003a push ecx 0x0000003b jmp 00007F9D6D5362A4h 0x00000040 pop ecx 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9D6D5362A5h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9602 second address: AA9606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC814 second address: AFC818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC818 second address: AFC87B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F9D6D14BEA6h 0x00000012 popad 0x00000013 jp 00007F9D6D14BEAAh 0x00000019 jno 00007F9D6D14BEA8h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 jmp 00007F9D6D14BEB7h 0x00000028 push eax 0x00000029 pop eax 0x0000002a pop edx 0x0000002b jmp 00007F9D6D14BEADh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05042 second address: B0504C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D536296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03142 second address: B03146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03146 second address: B0314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B038D2 second address: B038FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F9D6D14BEA6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 js 00007F9D6D14BEBAh 0x0000001b jmp 00007F9D6D14BEAEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0417D second address: B04181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B047CB second address: B047CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B04A91 second address: B04A96 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085E5 second address: B085E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085E9 second address: B085EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085EF second address: B085F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085F5 second address: B0860A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D6D5362A0h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16591 second address: B165A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 jl 00007F9D6D14BEC4h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14DD0 second address: B14DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15C15 second address: B15C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B163D8 second address: B163FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D5362A8h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B163FD second address: B16401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16401 second address: B16405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16405 second address: B1640B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1640B second address: B16414 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B141BA second address: B141E4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D6D14BEA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F9D6D14BEBEh 0x00000012 jl 00007F9D6D14BEA6h 0x00000018 jmp 00007F9D6D14BEB2h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B141E4 second address: B141EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B141EC second address: B141F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B141F8 second address: B141FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28BA6 second address: B28BAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28BAC second address: B28BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F9D6D536296h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B289F3 second address: B289F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B289F8 second address: B28A0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F9D6D536298h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB1E second address: B2AB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB22 second address: B2AB36 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007F9D6D536296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F9D6D536296h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB36 second address: B2AB56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB56 second address: B2AB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D6D536296h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A6AF second address: B2A6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B308CB second address: B308DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D6D536296h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B308DC second address: B30901 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D6D14BEA6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F9D6D14BEB5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46ECE second address: B46EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D6D5362A4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4703F second address: B47045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B47045 second address: B47061 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D6D5362A0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B47061 second address: B47065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B471CC second address: B471E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D042 second address: B4D075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D14BEB5h 0x00000009 popad 0x0000000a jnc 00007F9D6D14BEB6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D075 second address: B4D0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A7h 0x00000009 jmp 00007F9D6D53629Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59E69 second address: B59E72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59E72 second address: B59E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B612 second address: B5B616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B396 second address: B6B39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B39C second address: B6B3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B3A0 second address: B6B3AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B3AA second address: B6B3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6EADC second address: B6EAE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6EAE4 second address: B6EAE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6EAE8 second address: B6EAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6EC47 second address: B6EC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B874E4 second address: B874EE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D6D536296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B874EE second address: B8751A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9D6D14BEB1h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8751A second address: B8753E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D6D536296h 0x00000008 jmp 00007F9D6D53629Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007F9D6D536298h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8777A second address: B877A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F9D6D14BEACh 0x00000012 js 00007F9D6D14BEA6h 0x00000018 jng 00007F9D6D14BEC4h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B877A6 second address: B877C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B026 second address: B8B0AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push ecx 0x0000000c mov edx, dword ptr [ebp+122D3A22h] 0x00000012 pop edx 0x00000013 push dword ptr [ebp+122D34D8h] 0x00000019 sub dx, 05CFh 0x0000001e call 00007F9D6D14BEA9h 0x00000023 jo 00007F9D6D14BEB5h 0x00000029 jmp 00007F9D6D14BEAFh 0x0000002e push eax 0x0000002f jg 00007F9D6D14BEB0h 0x00000035 pushad 0x00000036 jnl 00007F9D6D14BEA6h 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e popad 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 push esi 0x00000044 pushad 0x00000045 je 00007F9D6D14BEA6h 0x0000004b js 00007F9D6D14BEA6h 0x00000051 popad 0x00000052 pop esi 0x00000053 mov eax, dword ptr [eax] 0x00000055 jmp 00007F9D6D14BEB8h 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B0AB second address: B8B0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B0BF second address: B8B0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9D6D14BEA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8DFE4 second address: B8DFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8DFE8 second address: B8DFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D6D14BEB1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FABC second address: B8FAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F9D6D536296h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jl 00007F9D6D53629Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070113 second address: 5070147 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 706A2AFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a mov eax, ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F9D6D14BEAAh 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9D6D14BEB7h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070147 second address: 50701B2 instructions: 0x00000000 rdtsc 0x00000002 mov ah, F3h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, E7h 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D53629Ch 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9D6D53629Eh 0x00000018 xor ax, A9A8h 0x0000001d jmp 00007F9D6D53629Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F9D6D5362A8h 0x00000029 or si, 1C08h 0x0000002e jmp 00007F9D6D53629Bh 0x00000033 popfd 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50701B2 second address: 50701B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50701B6 second address: 50701BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50701BC second address: 50701D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B0645 second address: 50B064B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B064B second address: 50B064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50400EB second address: 504010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504010A second address: 504010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504010E second address: 5040112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040112 second address: 5040118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040118 second address: 504013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov si, 1FCDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D6D5362A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504013E second address: 5040166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 352C61C4h 0x00000008 jmp 00007F9D6D14BEADh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9D6D14BEADh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040166 second address: 504018C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D53629Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504018C second address: 504019C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504019C second address: 50401CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e pushad 0x0000000f mov ax, DB9Bh 0x00000013 mov edi, ecx 0x00000015 popad 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 jmp 00007F9D6D53629Ah 0x0000001e push dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov ch, 00h 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060E08 second address: 5060E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060E0C second address: 5060E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060E12 second address: 5060E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D14BEB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060E44 second address: 5060E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060E48 second address: 5060E4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50608F3 second address: 50608F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50608F8 second address: 50608FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50607E1 second address: 5060800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 2F2Eh 0x00000007 mov edx, 6501103Ah 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 call 00007F9D6D53629Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060800 second address: 5060848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F9D6D14BEB1h 0x0000000b adc cx, EF66h 0x00000010 jmp 00007F9D6D14BEB1h 0x00000015 popfd 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov cx, dx 0x00000020 jmp 00007F9D6D14BEAFh 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060848 second address: 506084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506084E second address: 5060852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060852 second address: 50608A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D6D5362A8h 0x00000013 sbb cx, 0C98h 0x00000018 jmp 00007F9D6D53629Bh 0x0000001d popfd 0x0000001e jmp 00007F9D6D5362A8h 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50608A2 second address: 50608A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50604D1 second address: 50604F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50604F5 second address: 50604F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50604F9 second address: 50604FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50604FF second address: 5060504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060504 second address: 5060529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 21D4217Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D6D5362A6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060529 second address: 506052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506052F second address: 5060533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50704A7 second address: 50704AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B04BD second address: 50B0523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 pushfd 0x00000008 jmp 00007F9D6D53629Ah 0x0000000d xor si, 5028h 0x00000012 jmp 00007F9D6D53629Bh 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F9D6D5362A8h 0x0000001e add cl, FFFFFF88h 0x00000021 jmp 00007F9D6D53629Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F9D6D5362A5h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B0523 second address: 50B0533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508047C second address: 50804F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F9D6D5362A0h 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 jmp 00007F9D6D5362A0h 0x00000018 and dword ptr [eax], 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F9D6D53629Dh 0x00000024 and esi, 1EAD6C66h 0x0000002a jmp 00007F9D6D5362A1h 0x0000002f popfd 0x00000030 call 00007F9D6D5362A0h 0x00000035 pop esi 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804F5 second address: 50804FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804FB second address: 50804FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50804FF second address: 5080503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060714 second address: 506071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506071A second address: 5060720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060720 second address: 506079C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9D6D5362A4h 0x00000012 jmp 00007F9D6D5362A5h 0x00000017 popfd 0x00000018 push ecx 0x00000019 pushfd 0x0000001a jmp 00007F9D6D5362A7h 0x0000001f adc esi, 1086470Eh 0x00000025 jmp 00007F9D6D5362A9h 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, ax 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506079C second address: 50607A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508002D second address: 5080033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080033 second address: 508004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D14BEAFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080230 second address: 508024D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508024D second address: 50802AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEB7h 0x00000009 or esi, 2FE5CC3Eh 0x0000000f jmp 00007F9D6D14BEB9h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9D6D14BEB9h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0757 second address: 50A0784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D6D53629Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0784 second address: 50A0806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9D6D14BEB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F9D6D14BEAEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F9D6D14BEB0h 0x0000001c xchg eax, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007F9D6D14BEB3h 0x00000028 sub si, 1EEEh 0x0000002d jmp 00007F9D6D14BEB9h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0806 second address: 50A082D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F9D6D53629Ah 0x00000012 pop esi 0x00000013 mov cl, bl 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A082D second address: 50A0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0845 second address: 50A0849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0849 second address: 50A084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A084F second address: 50A0882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FB65FCh] 0x0000000e jmp 00007F9D6D5362A0h 0x00000013 test eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0882 second address: 50A0886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0886 second address: 50A088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A088A second address: 50A0890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0890 second address: 50A0897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 53h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0897 second address: 50A0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F9DDEFDEF6Eh 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEB9h 0x00000014 and ah, FFFFFFA6h 0x00000017 jmp 00007F9D6D14BEB1h 0x0000001c popfd 0x0000001d pushad 0x0000001e call 00007F9D6D14BEAEh 0x00000023 pop ecx 0x00000024 jmp 00007F9D6D14BEABh 0x00000029 popad 0x0000002a popad 0x0000002b mov ecx, eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 call 00007F9D6D14BEB2h 0x00000035 pop ecx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0909 second address: 50A09AB instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 40ECFF66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F9D6D5362A7h 0x0000000f sub eax, 16CCC9EEh 0x00000015 jmp 00007F9D6D5362A9h 0x0000001a popfd 0x0000001b popad 0x0000001c xor eax, dword ptr [ebp+08h] 0x0000001f jmp 00007F9D6D5362A7h 0x00000024 and ecx, 1Fh 0x00000027 pushad 0x00000028 jmp 00007F9D6D5362A4h 0x0000002d jmp 00007F9D6D5362A2h 0x00000032 popad 0x00000033 ror eax, cl 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F9D6D5362A7h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A09AB second address: 50A09C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A09C3 second address: 50A09F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F9D6D5362A6h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [008F2014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007F9D71D26BC4h 0x0000002c push FFFFFFFEh 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A09F6 second address: 50A09FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A09FA second address: 50A09FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A09FE second address: 50A0A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0A04 second address: 50A0A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A0A09 second address: 50A0A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505000B second address: 5050011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050011 second address: 5050051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9D6D14BEB0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D6D14BEAEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050051 second address: 5050067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050067 second address: 505006D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505006D second address: 5050073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050073 second address: 5050077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050077 second address: 505008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D6D53629Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505008F second address: 5050093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050093 second address: 5050099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050099 second address: 505012A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEB0h 0x00000014 add al, FFFFFF98h 0x00000017 jmp 00007F9D6D14BEABh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F9D6D14BEB8h 0x00000023 add esi, 0E764DF8h 0x00000029 jmp 00007F9D6D14BEABh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 pushad 0x00000032 mov ecx, 5CD3074Bh 0x00000037 mov esi, 16C8CD27h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushfd 0x00000042 jmp 00007F9D6D14BEB9h 0x00000047 jmp 00007F9D6D14BEABh 0x0000004c popfd 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505012A second address: 5050139 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050139 second address: 5050153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050153 second address: 5050159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050159 second address: 505015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505015D second address: 5050161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050161 second address: 5050187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edx 0x0000000e jmp 00007F9D6D14BEB7h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050187 second address: 505018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505018D second address: 505022E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB4h 0x00000015 adc ecx, 76060108h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F9D6D14BEB8h 0x00000027 xor al, 00000068h 0x0000002a jmp 00007F9D6D14BEABh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebx, dword ptr [ebp+10h] 0x00000034 pushad 0x00000035 mov al, 38h 0x00000037 jmp 00007F9D6D14BEB1h 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f push esi 0x00000040 pushad 0x00000041 popad 0x00000042 pop edx 0x00000043 mov cx, ED55h 0x00000047 popad 0x00000048 push eax 0x00000049 jmp 00007F9D6D14BEABh 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov ax, dx 0x00000055 mov edi, 012F1372h 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505022E second address: 5050234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050234 second address: 5050238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050238 second address: 505028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9D6D53629Ch 0x00000012 and cx, AA88h 0x00000017 jmp 00007F9D6D53629Bh 0x0000001c popfd 0x0000001d mov ax, C2FFh 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 jmp 00007F9D6D5362A2h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F9D6D53629Eh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505028B second address: 5050291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050291 second address: 50502C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d movzx eax, di 0x00000010 push edi 0x00000011 call 00007F9D6D5362A4h 0x00000016 pop esi 0x00000017 pop edi 0x00000018 popad 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502C7 second address: 50502D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 mov ecx, 1FC7D7BBh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50502D3 second address: 5050309 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F9DDF4145D1h 0x0000000d pushad 0x0000000e mov si, 25ABh 0x00000012 popad 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9D6D5362A8h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050309 second address: 5050318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050318 second address: 505031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505031E second address: 505036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F9DDF02A1ABh 0x0000000e pushad 0x0000000f mov edi, 2CE0B3B0h 0x00000014 popad 0x00000015 mov edx, dword ptr [esi+44h] 0x00000018 jmp 00007F9D6D14BEB2h 0x0000001d or edx, dword ptr [ebp+0Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F9D6D14BEADh 0x00000029 jmp 00007F9D6D14BEABh 0x0000002e popfd 0x0000002f mov ecx, 5F54581Fh 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505036E second address: 5050382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050382 second address: 50503C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007F9D6D14BEB7h 0x00000013 jne 00007F9DDF02A187h 0x00000019 pushad 0x0000001a jmp 00007F9D6D14BEB4h 0x0000001f push eax 0x00000020 push edx 0x00000021 mov dx, si 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50503C7 second address: 50503CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50407CE second address: 50407D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50407D4 second address: 50407D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50407D8 second address: 504085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9D6D14BEAEh 0x00000011 push eax 0x00000012 jmp 00007F9D6D14BEABh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov esi, 2EA74C2Bh 0x0000001e pushfd 0x0000001f jmp 00007F9D6D14BEB0h 0x00000024 sbb ecx, 13C953B8h 0x0000002a jmp 00007F9D6D14BEABh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F9D6D14BEABh 0x0000003c jmp 00007F9D6D14BEB3h 0x00000041 popfd 0x00000042 mov si, B1CFh 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504085B second address: 5040861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040861 second address: 5040886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b jmp 00007F9D6D14BEB3h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040886 second address: 504088C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504088C second address: 5040937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEB8h 0x00000009 jmp 00007F9D6D14BEB5h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB0h 0x00000015 and eax, 06D58468h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F9D6D14BEB2h 0x0000002e xor cx, 56C8h 0x00000033 jmp 00007F9D6D14BEABh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F9D6D14BEB8h 0x0000003f sub cx, D928h 0x00000044 jmp 00007F9D6D14BEABh 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040937 second address: 504093D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504093D second address: 5040952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEAAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040952 second address: 5040980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D5362A1h 0x00000009 sbb si, E7F6h 0x0000000e jmp 00007F9D6D5362A1h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040980 second address: 50409CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 jmp 00007F9D6D14BEACh 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEB1h 0x00000015 sub ah, 00000006h 0x00000018 jmp 00007F9D6D14BEB1h 0x0000001d popfd 0x0000001e call 00007F9D6D14BEB0h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50409CF second address: 5040A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 jmp 00007F9D6D5362A7h 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9D6D5362A5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040A07 second address: 5040A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040A0D second address: 5040A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040A11 second address: 5040ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007F9D6D14BEB4h 0x00000012 test esi, esi 0x00000014 jmp 00007F9D6D14BEB0h 0x00000019 je 00007F9DDF0317F0h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F9D6D14BEAEh 0x00000026 jmp 00007F9D6D14BEB5h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F9D6D14BEB0h 0x00000032 add eax, 24D16F58h 0x00000038 jmp 00007F9D6D14BEABh 0x0000003d popfd 0x0000003e popad 0x0000003f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000046 jmp 00007F9D6D14BEB6h 0x0000004b mov ecx, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F9D6D14BEB7h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040ACC second address: 5040AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040AD2 second address: 5040AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040AD6 second address: 5040B3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F9DDF41BB52h 0x00000011 jmp 00007F9D6D5362A6h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F9D6D53629Eh 0x00000024 sub ch, FFFFFFA8h 0x00000027 jmp 00007F9D6D53629Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e movsx ebx, ax 0x00000031 pop esi 0x00000032 popad 0x00000033 jne 00007F9DDF41BB1Dh 0x00000039 pushad 0x0000003a mov dx, CAF0h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040B3E second address: 5040B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040B42 second address: 5040B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a pushad 0x0000000b mov ebx, 0D1EA452h 0x00000010 popad 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D6D53629Bh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040B61 second address: 5040BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 13h 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov edi, 48D058FEh 0x00000011 mov ax, dx 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F9D6D14BEB1h 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F9D6D14BEACh 0x00000023 add ax, 27F8h 0x00000028 jmp 00007F9D6D14BEABh 0x0000002d popfd 0x0000002e jmp 00007F9D6D14BEB8h 0x00000033 popad 0x00000034 push eax 0x00000035 jmp 00007F9D6D14BEABh 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e movsx edx, ax 0x00000041 pushfd 0x00000042 jmp 00007F9D6D14BEACh 0x00000047 or ecx, 4A308CB8h 0x0000004d jmp 00007F9D6D14BEABh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040BF4 second address: 5040BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040BFA second address: 5040C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D6D14BEB5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040C89 second address: 5040C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040C8E second address: 5040CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040CB0 second address: 5040CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040CB6 second address: 5040CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9D6D14BEADh 0x00000014 adc ah, 00000036h 0x00000017 jmp 00007F9D6D14BEB1h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5040CED second address: 5040D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D5362A3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5050BAF second address: 5050BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0998 second address: 50D09D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov bx, 3B5Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bx, C0A4h 0x00000014 pushfd 0x00000015 jmp 00007F9D6D53629Dh 0x0000001a add ecx, 28A13AE6h 0x00000020 jmp 00007F9D6D5362A1h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D09D3 second address: 50D09F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D6D14BEAEh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D09F0 second address: 50D09F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D09F6 second address: 50D09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D09FA second address: 50D0A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F9D6D5362A9h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9D6D53629Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D001B second address: 50D001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D001F second address: 50D0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0025 second address: 50D006B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D6D14BEB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, B8h 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F9D6D14BEB5h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D006B second address: 50D0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D6D5362A9h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0DB7 second address: 50C0E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F9D6D14BEB2h 0x0000000f jmp 00007F9D6D14BEB5h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9D6D14BEADh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E05 second address: 50C0E16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E16 second address: 50C0E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E1A second address: 50C0E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E35 second address: 50C0E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007F9D6D14BEABh 0x0000000c xor si, 883Eh 0x00000011 jmp 00007F9D6D14BEB9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F9D6D14BEAEh 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E80 second address: 50C0E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50C0E84 second address: 50C0EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506026D second address: 506028A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506028A second address: 50602D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D6D14BEAAh 0x00000009 or ax, 3258h 0x0000000e jmp 00007F9D6D14BEABh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov esi, edi 0x0000001b mov eax, edi 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F9D6D14BEB6h 0x00000027 mov eax, 2AD94A01h 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D01E5 second address: 50D020C instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 6EAE4F56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ecx 0x00000010 call 00007F9D6D5362A5h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D020C second address: 50D0212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0212 second address: 50D0216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0216 second address: 50D0297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F9D6D14BEB4h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov al, 09h 0x00000013 mov bh, 7Dh 0x00000015 popad 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 jmp 00007F9D6D14BEB2h 0x0000001e push dword ptr [ebp+08h] 0x00000021 jmp 00007F9D6D14BEB0h 0x00000026 call 00007F9D6D14BEA9h 0x0000002b jmp 00007F9D6D14BEB0h 0x00000030 push eax 0x00000031 jmp 00007F9D6D14BEABh 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov esi, 2582B861h 0x00000042 mov bl, ah 0x00000044 popad 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0297 second address: 50D029E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, 3Fh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D029E second address: 50D02B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D6D14BEADh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D02B6 second address: 50D02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D02C6 second address: 50D02CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0313 second address: 50D0319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0319 second address: 50D0350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F9D6D14BEACh 0x00000015 sbb ecx, 0354E478h 0x0000001b jmp 00007F9D6D14BEABh 0x00000020 popfd 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50706DC second address: 50706E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50706E2 second address: 50706FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dl, E3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50706FA second address: 5070755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D5362A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F9D6D5362A2h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F9D6D5362A0h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9D6D5362A7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070755 second address: 5070794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007F9D6D14BEAEh 0x00000010 call 00007F9D6D14BEA9h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a movsx edx, ax 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070794 second address: 50707F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov ecx, 304D83B9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9D6D53629Fh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F9D6D5362A9h 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007F9D6D5362A1h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9D6D53629Ch 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50707F4 second address: 5070806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEAEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070806 second address: 5070853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F9D6D5362A6h 0x00000011 call 00007F9D6D536299h 0x00000016 jmp 00007F9D6D5362A0h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov esi, 0C9FCD73h 0x00000024 mov edi, eax 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070853 second address: 5070867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D14BEB0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070867 second address: 50708C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D6D53629Ch 0x00000013 xor ecx, 3BD19BA8h 0x00000019 jmp 00007F9D6D53629Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F9D6D5362A8h 0x00000025 add ch, 00000008h 0x00000028 jmp 00007F9D6D53629Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov eax, dword ptr [eax] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov ecx, edi 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50708C4 second address: 5070951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov bl, 30h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 mov si, 765Fh 0x00000014 popad 0x00000015 pop eax 0x00000016 pushad 0x00000017 mov ebx, eax 0x00000019 pushfd 0x0000001a jmp 00007F9D6D14BEACh 0x0000001f sbb al, FFFFFFC8h 0x00000022 jmp 00007F9D6D14BEABh 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr fs:[00000000h] 0x0000002f jmp 00007F9D6D14BEB6h 0x00000034 nop 0x00000035 pushad 0x00000036 mov esi, 6758917Dh 0x0000003b pushfd 0x0000003c jmp 00007F9D6D14BEAAh 0x00000041 and si, 8858h 0x00000046 jmp 00007F9D6D14BEABh 0x0000004b popfd 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F9D6D14BEB4h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070951 second address: 5070963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070963 second address: 50709B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9D6D14BEB6h 0x00000011 sub esp, 1Ch 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F9D6D14BEAEh 0x0000001b xor ax, 3778h 0x00000020 jmp 00007F9D6D14BEABh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov cl, 02h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50709B3 second address: 50709F4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9D6D53629Bh 0x00000008 xor ecx, 23EF5F3Eh 0x0000000e jmp 00007F9D6D5362A9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9D6D53629Dh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50709F4 second address: 50709FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50709FA second address: 5070A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070A07 second address: 5070A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9D6D14BEB0h 0x0000000a and esi, 59E01698h 0x00000010 jmp 00007F9D6D14BEABh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F9D6D14BEB1h 0x00000020 jmp 00007F9D6D14BEB0h 0x00000025 popad 0x00000026 call 00007F9D6D14BEB2h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070A69 second address: 5070AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 movzx eax, dx 0x0000000b pushfd 0x0000000c jmp 00007F9D6D53629Fh 0x00000011 sub cl, 0000001Eh 0x00000014 jmp 00007F9D6D5362A9h 0x00000019 popfd 0x0000001a popad 0x0000001b mov dword ptr [esp], esi 0x0000001e jmp 00007F9D6D53629Eh 0x00000023 xchg eax, edi 0x00000024 jmp 00007F9D6D5362A0h 0x00000029 push eax 0x0000002a jmp 00007F9D6D53629Bh 0x0000002f xchg eax, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F9D6D5362A5h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070AE8 second address: 5070B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FBB370h] 0x0000000e jmp 00007F9D6D14BEAEh 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070B19 second address: 5070B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070B1D second address: 5070B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070B3A second address: 5070B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D6D53629Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070B4A second address: 5070B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070B4E second address: 5070BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9D6D53629Ah 0x00000011 jmp 00007F9D6D5362A5h 0x00000016 popfd 0x00000017 jmp 00007F9D6D5362A0h 0x0000001c popad 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F9D6D5362A8h 0x00000027 and eax, 44255D88h 0x0000002d jmp 00007F9D6D53629Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070BBB second address: 5070C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bl, 1Dh 0x0000000d jmp 00007F9D6D14BEB8h 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 jmp 00007F9D6D14BEADh 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C0E second address: 5070C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C14 second address: 5070C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C18 second address: 5070C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e pushad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C2A second address: 5070C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d jmp 00007F9D6D14BEB3h 0x00000012 mov eax, dword ptr [esi+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C53 second address: 5070C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C57 second address: 5070C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C5D second address: 5070C86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D53629Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D6D5362A7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070C86 second address: 5070D43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F9DDEF9AF27h 0x0000000f jmp 00007F9D6D14BEAEh 0x00000014 sub eax, eax 0x00000016 jmp 00007F9D6D14BEB1h 0x0000001b mov dword ptr [ebp-20h], eax 0x0000001e jmp 00007F9D6D14BEAEh 0x00000023 mov ebx, dword ptr [esi] 0x00000025 jmp 00007F9D6D14BEB0h 0x0000002a mov dword ptr [ebp-24h], ebx 0x0000002d jmp 00007F9D6D14BEB0h 0x00000032 test ebx, ebx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F9D6D14BEAEh 0x0000003b adc ah, 00000018h 0x0000003e jmp 00007F9D6D14BEABh 0x00000043 popfd 0x00000044 mov edx, ecx 0x00000046 popad 0x00000047 je 00007F9DDEF9ADFFh 0x0000004d jmp 00007F9D6D14BEB2h 0x00000052 cmp ebx, FFFFFFFFh 0x00000055 pushad 0x00000056 push esi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070D43 second address: 50706DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 jmp 00007F9DDF3851C8h 0x0000000b jne 00007F9D6D5362B9h 0x0000000d xor ecx, ecx 0x0000000f mov dword ptr [esi], ecx 0x00000011 mov dword ptr [esi+04h], ecx 0x00000014 mov dword ptr [esi+08h], ecx 0x00000017 mov dword ptr [esi+0Ch], ecx 0x0000001a mov dword ptr [esi+10h], ecx 0x0000001d mov dword ptr [esi+14h], ecx 0x00000020 mov ecx, dword ptr [ebp-10h] 0x00000023 mov dword ptr fs:[00000000h], ecx 0x0000002a pop ecx 0x0000002b pop edi 0x0000002c pop esi 0x0000002d pop ebx 0x0000002e mov esp, ebp 0x00000030 pop ebp 0x00000031 retn 0004h 0x00000034 nop 0x00000035 pop ebp 0x00000036 ret 0x00000037 add esi, 18h 0x0000003a pop ecx 0x0000003b cmp esi, 008F56A8h 0x00000041 jne 00007F9D6D536280h 0x00000043 push esi 0x00000044 call 00007F9D6D536B03h 0x00000049 push ebp 0x0000004a mov ebp, esp 0x0000004c push dword ptr [ebp+08h] 0x0000004f call 00007F9D71CF9995h 0x00000054 mov edi, edi 0x00000056 jmp 00007F9D6D5362A0h 0x0000005b xchg eax, ebp 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F9D6D53629Ah 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070266 second address: 5070276 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070276 second address: 507027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507027A second address: 507028D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D6D14BEAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8FED70 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AA892E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8FEDA7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B22E5A instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: C6ED70 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: E1892E instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: C6EDA7 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: E92E5A instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 13DFD89 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 13DFC7A instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 1587220 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 15B0590 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 1599C30 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSpecial instruction interceptor: First address: 1613B04 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 81C8E5 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 81C963 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 9BB04F instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 9B9B37 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 9B9779 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: 81C8D6 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeSpecial instruction interceptor: First address: A489CD instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSpecial instruction interceptor: First address: BD7F4A instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSpecial instruction interceptor: First address: BD76DD instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSpecial instruction interceptor: First address: D785D6 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSpecial instruction interceptor: First address: BD559E instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeSpecial instruction interceptor: First address: DA46A6 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeSpecial instruction interceptor: First address: 2EFBD2 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeSpecial instruction interceptor: First address: 4BCB1F instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeSpecial instruction interceptor: First address: 4A6972 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeSpecial instruction interceptor: First address: 51CFC1 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeSpecial instruction interceptor: First address: 2FDB0B instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeSpecial instruction interceptor: First address: 495587 instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeSpecial instruction interceptor: First address: 4AB42D instructions caused by: Self-modifying code
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: 2310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeMemory allocated: 4AF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeMemory allocated: 4D20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeMemory allocated: 4C50000 memory reserve | memory write watch
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\VBoxSF.sys
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\vmhgfs.sys
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\vmmouse.sys
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\VBoxGuest.sys
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\VBoxVideo.sys
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\vmci.sys
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_050D026C rdtsc 0_2_050D026C
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 561Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1155Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1192Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1155Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1211
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1175
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1280
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1141
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1107
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1290
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1257
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeWindow / User API: threadDelayed 1257
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow / User API: threadDelayed 1248
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow / User API: threadDelayed 1255
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeWindow / User API: threadDelayed 1256
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeWindow / User API: threadDelayed 2467
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1900Thread sleep count: 561 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1900Thread sleep time: -1122561s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5688Thread sleep count: 1155 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5688Thread sleep time: -2311155s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1344Thread sleep count: 255 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1344Thread sleep time: -7650000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5064Thread sleep count: 1192 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5064Thread sleep time: -2385192s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1704Thread sleep count: 1155 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1704Thread sleep time: -2311155s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe TID: 7632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7656Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 3140Thread sleep time: -2423211s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2080Thread sleep time: -2351175s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 5500Thread sleep time: -2561280s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2120Thread sleep time: -2283141s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 4048Thread sleep time: -2215107s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 3428Thread sleep time: -2581290s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 344Thread sleep time: -2515257s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2596Thread sleep time: -2515257s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe TID: 2708Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6716Thread sleep count: 65 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6716Thread sleep time: -130065s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340Thread sleep count: 110 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340Thread sleep count: 136 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340Thread sleep count: 176 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340Thread sleep count: 202 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6480Thread sleep count: 1248 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6480Thread sleep time: -2497248s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 3340Thread sleep count: 80 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6496Thread sleep count: 1255 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6496Thread sleep time: -2511255s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6584Thread sleep count: 1256 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe TID: 6584Thread sleep time: -2513256s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 7964Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7628Thread sleep count: 38 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7628Thread sleep time: -76038s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7576Thread sleep count: 38 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7576Thread sleep time: -76038s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7620Thread sleep count: 36 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7620Thread sleep time: -72036s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7560Thread sleep count: 46 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7560Thread sleep time: -92046s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5800Thread sleep time: -36000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7708Thread sleep count: 34 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7708Thread sleep time: -68034s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7700Thread sleep count: 49 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7700Thread sleep time: -98049s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7632Thread sleep count: 40 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7632Thread sleep time: -80040s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7624Thread sleep count: 42 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 7624Thread sleep time: -84042s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 5348Thread sleep time: -38019s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 2060Thread sleep time: -38019s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 7876Thread sleep time: -36018s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3496Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3052Thread sleep time: -42021s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe TID: 3496Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 8004Thread sleep count: 100 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 8004Thread sleep count: 105 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 1340Thread sleep time: -50025s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5160Thread sleep time: -48024s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8160Thread sleep count: 250 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8160Thread sleep time: -1500000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5184Thread sleep time: -36018s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 5076Thread sleep time: -52026s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe TID: 8180Thread sleep time: -32016s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe TID: 6748Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 4572Thread sleep count: 2467 > 30
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe TID: 4572Thread sleep count: 57 > 30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber, Name FROM Win32_BIOS
                Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID, IdentifyingNumber, Name FROM Win32_ComputerSystemProduct
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId, Name, SerialNumber FROM WIN32_PROCESSOR
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeThread sleep count: Count: 2467 delay: -10
                Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
                Source: file.exe, file.exe, 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmp, e7a505b613.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E463B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\drivers\VBoxSF.sys
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
                Source: 0KGPkVX.exe, 00000007.00000003.2686594043.00000199E49A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ["vmci.
                Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E463B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\drivers\vmhgfs.sys
                Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E4589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}}
                Source: c12cb864c6.exe, 0000002D.00000003.2776379609.0000000002032000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E4589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"cmd": "system_info", "data": {"is_admin": true, "IP": "8.46.123.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}} r4
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3037835051.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
                Source: file.exe, 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: 0KGPkVX.exe, 00000007.00000003.2715475053.00000199E4589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}} r4
                Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E4589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"cmd": "system_info", "data": {"is_admin": true, "IP": "8.46.123.189", "CID": "gm", "OS": "Windows-10-10.0.19045", "PC-NAME": "571345", "UserName": "user", "PROC": [], "DRIVERS": ["vmci.sys"], "System Language": "en_GB", "Keyboard Layouts": ["en_GB", "en_GB"], "TimeZone": "-0500", "ScreenSize": [1280, 1024], "sysinfo": {"cpu": ["Node,Name,ProcessorId,SerialNumber", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,05EBAB07E8,", "571345,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,6C202116B2,"], "csproduct": ["Node,IdentifyingNumber,Name,UUID", "571345,1WEWZM,{833E199C-8C91-4A99-9B85-14D82B785934},71434D56-1548-ED3D-AEE6-C75AECD93BF0"], "bios": ["Node,Name,SerialNumber", "571345,VMW201.00V.20829224.B64.2211211842,Y3G2DK747E"]}, "fullpath": "C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe", "args": ["C:\\Users\\user\\AppData\\Local\\Temp\\1019345001\\0KGPkVX.exe"]}}
                Source: 0KGPkVX.exe, 00000007.00000003.2711793740.00000199E463B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\drivers\vmmouse.sysO
                Source: c12cb864c6.exe, 0000002D.00000003.2780938395.00000000072D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAPI call chain: ExitProcess graph end nodegraph_1-10021
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAPI call chain: ExitProcess graph end nodegraph_1-10043
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeThread information set: HideFromDebugger
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeThread information set: HideFromDebugger
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeFile opened: NTICE
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeFile opened: SICE
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeFile opened: SIWVID
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeSystem information queried: KernelDebuggerInformation
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_050D026C rdtsc 0_2_050D026C
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C391E62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C391E62
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C652B mov eax, dword ptr fs:[00000030h]0_2_008C652B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CA302 mov eax, dword ptr fs:[00000030h]0_2_008CA302
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C3A302 mov eax, dword ptr fs:[00000030h]1_2_00C3A302
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00C3652B mov eax, dword ptr fs:[00000030h]1_2_00C3652B
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C395C81 mov eax, dword ptr fs:[00000030h]8_2_6C395C81
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C394A42 mov eax, dword ptr fs:[00000030h]8_2_6C394A42
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C391937 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6C391937
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C391E62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C391E62
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C39435C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C39435C
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: rapeflowwj.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: crosshuaht.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: sustainskelet.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: aspecteirs.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: energyaffai.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: necklacebudi.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: discokeyus.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: grannyejh.lat
                Source: im2o0Q8.exe, 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: sweepyribs.lat
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C7E000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C81000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C91000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C92000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C7E000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C81000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C91000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C92000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2436008Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe "C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe "C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe "C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe "C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe "C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe "C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe "C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe "C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get ProcessorId,Name,SerialNumber /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic bios get SerialNumber,Name /format:csv
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Netstat\taskhostw.exe C:\Users\Public\Netstat\taskhostw.exe
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: unknown unknown
                Source: C:\Users\Public\Netstat\taskhostw.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess created: unknown unknown
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7720
                Source: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                Source: file.exe, 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 9=Program Manager
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeCode function: 8_2_6C392038 cpuid 8_2_6C392038
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019390001\fefd39b33e.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019390001\fefd39b33e.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019391001\a7b199a02f.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019391001\a7b199a02f.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019392001\1e89408d66.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019392001\1e89408d66.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019393001\7d2e166a3a.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019393001\7d2e166a3a.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019394001\417733cd59.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019394001\417733cd59.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019395001\6f56e47528.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019395001\6f56e47528.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019396001\6e8fe4238e.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019396001\6e8fe4238e.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019397001\2e999888fd.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019397001\2e999888fd.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019398001\e00c1dd1b5.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019398001\e00c1dd1b5.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019399001\16e3a15664.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019399001\16e3a15664.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Windows\System32\drivers\vmci.sys VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OptimizationGuidePredictionModels VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\CURRENT VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\Public VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\Public\Netstat\taskhostw.exeQueries volume information: C:\Users\Public\Netstat\taskhostw.exe VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_008ACBEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Disable Windows Defender notifications (registry)
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
                Disable Windows Defender real time protection (registry)
                Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1
                Disables Windows Defender Tamper protection
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeRegistry value created: TamperProtection 0
                Modifies windows update settings
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
                Source: C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
                Source: c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                Source: aspnet_regiis.exe, 0000000A.00000003.2870701783.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2885987436.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2872129810.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2900034652.0000000004FAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Amadeys stealer DLL
                Source: Yara matchFile source: 0.2.file.exe.890000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR
                Yara detected Stealc
                Source: Yara matchFile source: 00000047.00000003.3027432883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyicgx
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: aspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3_w
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal Bitcoin Wallet information
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\8pecxstudios\Cyberfox\Profiles
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                Source: C:\Users\Public\Netstat\taskhostw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPU
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDI
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                Source: C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2726047574.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2724742164.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2727851900.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2725469085.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2726296508.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2872775779.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2726799865.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2728097001.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2725233317.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2872129810.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2724446404.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2728337687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2726544967.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2728624365.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Attempt to bypass Chrome Application-Bound Encryption
                Source: C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7636, type: MEMORYSTR
                Yara detected Stealc
                Source: Yara matchFile source: 00000047.00000003.3027432883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts41
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		411
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                Scheduled Task/Job                		2
                Bypass User Account Control                		11
                Deobfuscate/Decode Files or Information                		LSASS Memory22
                File and Directory Discovery                		Remote Desktop Protocol41
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts12
                Command and Scripting Interpreter                		11
                Registry Run Keys / Startup Folder                		1
                Extra Window Memory Injection                		4
                Obfuscated Files or Information                		Security Account Manager258
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                Scheduled Task/Job                		Login Hook312
                Process Injection                		12
                Software Packing                		NTDS1
                Query Registry                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts1
                PowerShell                		Network Logon Script1
                Scheduled Task/Job                		1
                DLL Side-Loading                		LSA Secrets9101
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                Registry Run Keys / Startup Folder                		2
                Bypass User Account Control                		Cached Domain Credentials4
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Extra Window Memory Injection                		DCSync3101
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Modify Registry                		/etc/passwd and /etc/shadow1
                Remote System Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron3101
                Virtualization/Sandbox Evasion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579298 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 142 Antivirus detection for dropped file 2->142 144 Antivirus / Scanner detection for submitted sample 2->144 146 Multi AV Scanner detection for dropped file 2->146 148 12 other signatures 2->148 10 skotes.exe 4 82 2->10         started        15 file.exe 5 2->15         started        17 e7a505b613.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 136 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->136 138 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->138 140 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 10->140 102 C:\Users\user\AppData\...\8ccec30e2a.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\acfd211374.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\...\9d3c5f87fc.exe, PE32 10->106 dropped 112 15 other malicious files 10->112 dropped 190 Creates multiple autostart registry keys 10->190 192 Hides threads from debuggers 10->192 194 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->194 21 df1fc80896.exe 10->21         started        25 0KGPkVX.exe 20 2 10->25         started        28 acfd211374.exe 10->28         started        32 5 other processes 10->32 108 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->108 dropped 110 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->110 dropped 196 Detected unpacking (changes PE section rights) 15->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->198 200 Tries to evade debugger and weak emulator (self modifying code) 15->200 202 Tries to detect virtualization through RDTSC time measurements 15->202 30 skotes.exe 15->30         started        204 Query firmware table information (likely to detect VMs) 17->204 206 Tries to harvest and steal ftp login credentials 17->206 208 Tries to harvest and steal browser information (history, passwords, etc) 17->208 210 Tries to steal Crypto Currency Wallets 17->210 212 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->212 file5 signatures6 process7 dnsIp8 124 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->124 126 127.0.0.1 unknown unknown 21->126 150 Antivirus detection for dropped file 21->150 152 Attempt to bypass Chrome Application-Bound Encryption 21->152 154 Tries to steal Mail credentials (via file / registry access) 21->154 170 8 other signatures 21->170 34 chrome.exe 21->34         started        128 216.107.136.194 KVCNET-2009US United States 25->128 98 C:\Users\Public98etstat\taskhostw.exe, PE32+ 25->98 dropped 156 Machine Learning detection for dropped file 25->156 37 cmd.exe 25->37         started        39 cmd.exe 25->39         started        42 cmd.exe 25->42         started        50 13 other processes 25->50 158 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->158 160 Modifies windows update settings 28->160 172 3 other signatures 28->172 162 Multi AV Scanner detection for dropped file 30->162 164 Detected unpacking (changes PE section rights) 30->164 166 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 30->166 130 185.156.73.23 RELDAS-NETRU Russian Federation 32->130 132 185.121.15.192 REDSERVICIOES Spain 32->132 134 2 other IPs or domains 32->134 100 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 32->100 dropped 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->168 174 4 other signatures 32->174 44 aspnet_regiis.exe 32->44         started        46 taskkill.exe 32->46         started        48 conhost.exe 32->48         started        file9 signatures10 process11 dnsIp12 114 239.255.255.250 unknown Reserved 34->114 52 chrome.exe 34->52         started        55 taskhostw.exe 37->55         started        58 conhost.exe 37->58         started        176 Uses cmd line tools excessively to alter registry or file data 39->176 60 reg.exe 39->60         started        62 conhost.exe 39->62         started        64 conhost.exe 42->64         started        66 tasklist.exe 42->66         started        116 172.67.197.170 CLOUDFLARENETUS United States 44->116 178 Query firmware table information (likely to detect VMs) 44->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 44->180 182 Tries to steal Crypto Currency Wallets 44->182 68 conhost.exe 46->68         started        70 24 other processes 50->70 signatures13 process14 dnsIp15 118 142.250.181.99 GOOGLEUS United States 52->118 120 172.217.17.78 GOOGLEUS United States 52->120 122 2 other IPs or domains 52->122 184 Machine Learning detection for dropped file 55->184 186 Tries to harvest and steal browser information (history, passwords, etc) 55->186 72 cmd.exe 55->72         started        74 cmd.exe 55->74         started        76 cmd.exe 55->76         started        78 2 other processes 55->78 188 Creates multiple autostart registry keys 60->188 signatures16 process17 process18 80 conhost.exe 72->80         started        82 tasklist.exe 72->82         started        84 conhost.exe 74->84         started        86 tasklist.exe 74->86         started        88 conhost.exe 76->88         started        90 tasklist.exe 76->90         started        92 conhost.exe 78->92         started        94 tasklist.exe 78->94         started        96 2 other processes 78->96

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe58%VirustotalBrowse
                file.exe55%ReversingLabsWin32.Infostealer.Tinba
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%AviraTR/ATRAPS.Gen
                C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%AviraTR/Crypt.TPM.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%AviraTR/Crypt.XPACK.Gen
                C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe100%AviraTR/ATRAPS.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%AviraHEUR/AGEN.1320706
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%AviraTR/Crypt.TPM.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%AviraTR/Crypt.TPM.Gen
                C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe100%AviraTR/Crypt.TPM.Gen
                C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe100%AviraTR/Crypt.XPACK.Gen
                C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe100%AviraHEUR/AGEN.1320706
                C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe100%AviraTR/Crypt.TPM.Gen
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                C:\Users\Public\Netstat\taskhostw.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe100%Joe Sandbox ML
                C:\Users\Public\Netstat\taskhostw.exe5%ReversingLabs
                C:\Users\Public\Netstat\taskhostw.exe9%VirustotalBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe5%ReversingLabs
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe9%VirustotalBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe87%ReversingLabsWin32.Trojan.Amadey
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe75%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe5%ReversingLabs
                C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe87%ReversingLabsWin32.Trojan.Amadey
                C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe55%ReversingLabsWin32.Infostealer.Tinba

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://html4/loose.dtdc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                  https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                    https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                      https://discokeyus.lat/Raspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpfalse
                        https://discokeyus.lat/apiliteRaspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmpfalse
                          https://discokeyus.lat/apiFaspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmpfalse
                            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.aspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                https://discokeyus.lat/apiaspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2634798240.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2873028429.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://discokeyus.lat:443/apiRaspnet_regiis.exe, 0000000A.00000003.2725004156.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726296508.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728624365.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724742164.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2730250385.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727851900.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2726047574.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728337687.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2724446404.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2728097001.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2727593553.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2725233317.0000000002876000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002876000.00000004.00000020.00020000.00000000.sdmpfalse
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://.cssc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                        https://discokeyus.lat/api:aspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://curl.se/docs/hsts.htmlc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiaspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://discokeyus.lat/api~5aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002876000.00000004.00000020.00020000.00000000.sdmpfalse
                                                http://x1.c.lencr.org/0aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  http://x1.i.lencr.org/0aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installaspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://discokeyus.lat/apip~aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002876000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://support.mozilla.org/products/firefoxgro.allaspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            http://.jpgc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              https://discokeyus.lat/lJOaspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                https://discokeyus.lat/YJZaspnet_regiis.exe, 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgaspnet_regiis.exe, 0000000A.00000003.2691912151.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://notepoud-plus.cn.com/validation.php?token=1dvdnavds8hsd98chda9hcdsahcd8r43bjb4b3kjbr4b3jk&ref0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                        https://curl.se/docs/http-cookies.htmlc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              http://ocsp.rootca1.amazontrust.com0:aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016aspnet_regiis.exe, 0000000A.00000003.2666492056.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639782626.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005001000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2666115003.0000000004FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://curl.se/docs/alt-svc.htmlc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    https://www.ecosia.org/newtab/aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-braspnet_regiis.exe, 0000000A.00000003.2690856095.00000000050CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://httpbin.org/ipc12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          https://discokeyus.lat/Theaspnet_regiis.exe, 0000000A.00000003.2688751763.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687985373.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2690577709.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2687785737.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2688092488.0000000004FAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2689610573.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://www.python.org/psf/license/0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                              https://ac.ecosia.org/autocomplete?q=aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://httpbin.org/ipbeforec12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  https://discokeyus.lat/apilaspnet_regiis.exe, 0000000A.00000003.2635030453.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    https://support.microsofaspnet_regiis.exe, 0000000A.00000003.2639162987.0000000005003000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://discokeyus.lat/aspnet_regiis.exe, 0000000A.00000003.2635125261.000000000281C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3046409300.000000000285D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.3035642877.0000000002858000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714253071.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2713947965.0000000004FA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?aspnet_regiis.exe, 0000000A.00000003.2689141998.0000000004FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://discokeyus.lat/ftaspnet_regiis.exe, 0000000A.00000003.2609684175.000000000281D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            http://notepoud-plus.cn.com/error.php?ref=0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D290000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                              https://discokeyus.lat:443/apiaspnet_regiis.exe, 0000000A.00000003.3036125237.0000000004FB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesaspnet_regiis.exe, 0000000A.00000003.2639287809.0000000004FD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850c12cb864c6.exe, 0000002D.00000003.2731140509.0000000007D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=aspnet_regiis.exe, 0000000A.00000003.2637419412.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2637080488.0000000004FEC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000003.2636537487.0000000004FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://peps.python.org/pep-0263/0KGPkVX.exe, 00000007.00000000.2516927124.00007FF68D0A4000.00000002.00000001.01000000.0000000A.sdmpfalse

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        185.215.113.43
                                                                                                                        		unknownPortugal
                                                                                                                        		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                        185.121.15.192
                                                                                                                        		unknownSpain
                                                                                                                        		207046REDSERVICIOESfalse
                                                                                                                        172.217.19.228
                                                                                                                        		unknownUnited States
                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                        1.1.1.1
                                                                                                                        		unknownAustralia
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        172.217.17.78
                                                                                                                        		unknownUnited States
                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                        185.215.113.16
                                                                                                                        		unknownPortugal
                                                                                                                        		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                        34.226.108.155
                                                                                                                        		unknownUnited States
                                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                                        239.255.255.250
                                                                                                                        		unknownReserved
                                                                                                                        		unknownunknownfalse
                                                                                                                        185.156.73.23
                                                                                                                        		unknownRussian Federation
                                                                                                                        		48817RELDAS-NETRUfalse
                                                                                                                        185.215.113.206
                                                                                                                        		unknownPortugal
                                                                                                                        		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                        64.233.162.84
                                                                                                                        		unknownUnited States
                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                        142.250.181.99
                                                                                                                        		unknownUnited States
                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                        216.107.136.194
                                                                                                                        		unknownUnited States
                                                                                                                        		395111KVCNET-2009USfalse
                                                                                                                        172.67.197.170
                                                                                                                        		unknownUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        31.41.244.11
                                                                                                                        		unknownRussian Federation
                                                                                                                        		61974AEROEXPRESS-ASRUfalse

                                                                                                                        Private

                                                                                                                        IP
                                                                                                                        127.0.0.1

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1579298
                                                                                                                        Start date and time:2024-12-21 14:13:08 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 20m 37s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:94
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Sample name:file.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@179/28@0/16
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 75%
                                                                                                                        HCA Information:Failed
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                        Warnings

                                                                                                                        • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                        • Execution Graph export aborted for target e7a505b613.exe, PID 6940 because there are no executed function
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                        • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        08:15:01API Interceptor10972317x Sleep call for process: skotes.exe modified
                                                                                                                        08:15:30API Interceptor8x Sleep call for process: aspnet_regiis.exe modified
                                                                                                                        08:15:38API Interceptor3x Sleep call for process: WMIC.exe modified
                                                                                                                        08:16:06API Interceptor85x Sleep call for process: e7a505b613.exe modified
                                                                                                                        08:16:15API Interceptor545882x Sleep call for process: c12cb864c6.exe modified
                                                                                                                        08:16:22API Interceptor352865x Sleep call for process: 5b6f15dae8.exe modified
                                                                                                                        08:16:32API Interceptor676x Sleep call for process: df1fc80896.exe modified
                                                                                                                        13:14:00Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        13:15:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Updater C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        13:15:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Updater C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        13:16:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run e7a505b613.exe C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe
                                                                                                                        13:16:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run df1fc80896.exe C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        13:16:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exe C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe
                                                                                                                        13:16:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run acfd211374.exe C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe
                                                                                                                        13:16:44AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Updater C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        13:16:47Task SchedulerRun new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                        13:16:57Task SchedulerRun new task: Gxtuum path: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe
                                                                                                                        13:16:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run e7a505b613.exe C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe
                                                                                                                        13:17:03Task SchedulerRun new task: MyBootTask path: C:\Users\user\AppData\Local\Temp\1019392001\1e89408d66.exe
                                                                                                                        13:17:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run df1fc80896.exe C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        13:17:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9d3c5f87fc.exe C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe
                                                                                                                        13:17:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run acfd211374.exe C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe
                                                                                                                        13:17:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe
                                                                                                                        13:17:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe
                                                                                                                        13:18:28Task SchedulerRun new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
                                                                                                                        13:18:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ClipboardCrypto C:\Users\user\AppData\Roaming\user\HfDIiv3.exe
                                                                                                                        13:18:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ClipboardCrypto C:\Users\user\AppData\Roaming\user\HfDIiv3.exe
                                                                                                                        13:21:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8e59839274.exe C:\Users\user\AppData\Local\Temp\1019401001\8e59839274.exe
                                                                                                                        13:22:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ac43ed0e21.exe C:\Users\user\AppData\Local\Temp\1019402001\ac43ed0e21.exe
                                                                                                                        13:22:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run c917b0ed14.exe C:\Users\user\AppData\Local\Temp\1019403001\c917b0ed14.exe
                                                                                                                        13:22:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 8e59839274.exe C:\Users\user\AppData\Local\Temp\1019401001\8e59839274.exe
                                                                                                                        13:22:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ac43ed0e21.exe C:\Users\user\AppData\Local\Temp\1019402001\ac43ed0e21.exe
                                                                                                                        13:22:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run c917b0ed14.exe C:\Users\user\AppData\Local\Temp\1019403001\c917b0ed14.exe

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        No context

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\ProgramData\DAAECAFHDBGIDGCAEHJE

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49152
                                                                                                                        Entropy (8bit):0.8180424350137764
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                        MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                        SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                        SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                        SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\JEBKJDAF

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):106496
                                                                                                                        Entropy (8bit):1.1358696453229276
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                        MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                        SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                        SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                        SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\JECBGCFHCFIDHIDHDGDG

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40960
                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\Public\Netstat\taskhostw.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9147506
                                                                                                                        Entropy (8bit):6.93763600796956
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:196608:wtcGVQE2XmLX3ffGzJENyIqH1uW9BZ7G1ztSXQqPfu:wtc0Q3XmLESyIqfUTkfu
                                                                                                                        MD5:1C848C274240A7B5561550C4867C336F
                                                                                                                        SHA1:FE286E578F0652077CD858850939A152835DCC6C
                                                                                                                        SHA-256:8B5AF8709908FA9DA7792816D03FEB6287DED45A9CB5A5AFD4F061113638A092
                                                                                                                        SHA-512:7D96FD7398CE1A3199EA4CB0C7BC4E0F7B76692D9200DD27499B3F96E50A0B91CC77169AD542BE46C74FC09E13A84597D180C4C4F0FD23CE45E8C3FA99C8042D
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                        • Antivirus: Virustotal, Detection: 9%, Browse
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..Zp..p..p..;...x..;......;...z..`I..y..`I..a..`I..X..;...w..p.....;H..w..;H..q..;Hx.q..p...q..;H..q..Richp..........................PE..d...=d'g.........."....)......Z......Z.........@.............................._...........`.........................................@...........P.......,NX..`...:............^.....0...................................@...............(............................text............................... ..`.rdata...m.......n..................@..@.data....5... ......................@....pdata...:...`...<..................@..@.rsrc...,NX......PX..Z..............@..@.reloc........^.......^.............@..B........................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\acfd211374.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe
                                                                                                                        File Type:CSV text
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):226
                                                                                                                        Entropy (8bit):5.360398796477698
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                                                        MD5:3A8957C6382192B71471BD14359D0B12
                                                                                                                        SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                                                        SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                                                        SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\im2o0Q8.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):42
                                                                                                                        Entropy (8bit):4.0050635535766075
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0KGPkVX[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9147506
                                                                                                                        Entropy (8bit):6.93763600796956
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:196608:wtcGVQE2XmLX3ffGzJENyIqH1uW9BZ7G1ztSXQqPfu:wtc0Q3XmLESyIqfUTkfu
                                                                                                                        MD5:1C848C274240A7B5561550C4867C336F
                                                                                                                        SHA1:FE286E578F0652077CD858850939A152835DCC6C
                                                                                                                        SHA-256:8B5AF8709908FA9DA7792816D03FEB6287DED45A9CB5A5AFD4F061113638A092
                                                                                                                        SHA-512:7D96FD7398CE1A3199EA4CB0C7BC4E0F7B76692D9200DD27499B3F96E50A0B91CC77169AD542BE46C74FC09E13A84597D180C4C4F0FD23CE45E8C3FA99C8042D
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                        • Antivirus: Virustotal, Detection: 9%, Browse
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..Zp..p..p..;...x..;......;...z..`I..y..`I..a..`I..X..;...w..p.....;H..w..;H..q..;Hx.q..p...q..;H..q..Richp..........................PE..d...=d'g.........."....)......Z......Z.........@.............................._...........`.........................................@...........P.......,NX..`...:............^.....0...................................@...............(............................text............................... ..`.rdata...m.......n..................@..@.data....5... ......................@....pdata...:...`...<..................@..@.rsrc...,NX......PX..Z..............@..@.reloc........^.......^.............@..B........................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1840128
                                                                                                                        Entropy (8bit):7.949032397312145
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:8twBlET1vspzlAFWVEtAvg/qzrImxzRh02h5wiqHP+:UwBlExvwa0EtAo/Dmpb7hfMm
                                                                                                                        MD5:BF56486B61F1A99182F133AC8A3937E6
                                                                                                                        SHA1:36DF5535AA7AC556AE518109824E06C99EA99245
                                                                                                                        SHA-256:5FD0D95B773360005BA3A149D3F63E3998BE1C1B78E91D17D03C79D2168BBB1E
                                                                                                                        SHA-512:45E3B6019F707BC53408FE1862DF69446ED5BE8934DF97D0D92D6339AD55E9F4A8AFFBB831EE12305D4C9BED3098B3816F5FD450F70F1C2E1D0DFF5CA34B05F5
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................I...........@..........................@I.....$.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...cgayxfzg.....p/......^..............@...rvxmyzlm......I.....................@....taggant.0....I.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4438776
                                                                                                                        Entropy (8bit):7.99505709582503
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                        MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                        SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                        SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                        SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                        • Antivirus: Virustotal, Detection: 75%, Browse
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4452864
                                                                                                                        Entropy (8bit):7.978607220579395
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:RTLUQszUoTnT6z2tbInFnuKAwIEukmS1sToNRSNwqZysV:ehT6SGFn/NI0sTo3SNV7V
                                                                                                                        MD5:4A09A81EBF7BEE536D365270FCB2F9AC
                                                                                                                        SHA1:5D6388BE06C33C95A80C35F960394EDA8BAF603E
                                                                                                                        SHA-256:05FD14FC6511AC0A2C1460C5A17470AE35993174BBCBE7E8D0E9A36CA148AA66
                                                                                                                        SHA-512:8BF24C9D3C18930FD0D0F83A6AB28204EBE178119B36C1034D0E594040EEDBA5849769A078EBD82DCCC0624B2CC3CD3815C5A928BDF34EF6C4DA79D422A4F7AD
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@..........................@........D...@... ............................._.r.s.....r.....................,....................................................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..8...r......H(.............@...cfpxwuqa.....p.......J(.............@...eexnemuq..............C.............@....taggant.0......."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):970240
                                                                                                                        Entropy (8bit):6.702697443144343
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8aLJSt:+TvC/MTQYxsWR7aLJ
                                                                                                                        MD5:FD7AA6A3EB85D4E29403D5EC15D19029
                                                                                                                        SHA1:934A72F6F8C67D220CBA9CF9940318FDE2794337
                                                                                                                        SHA-256:F6D1FC23858D2EA98530A86F79A6D21C28602AF0D38AA2B14A8D6DFDBDF290E1
                                                                                                                        SHA-512:6F3D1FEBC8C1B5931EDC322530989E4198DB8B0DE592C741E1814EA315EA96FF4F02AF485A89A945A32F0FA393050644F2453C1BE9B6D53C65D78E3BD05A5F59
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....fg..........".................w.............@..........................0......P.....@...@.......@.....................d...|....@...b.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....b...@...d..................@..@.reloc...u.......v...X..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1914880
                                                                                                                        Entropy (8bit):7.938506934987747
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:tEUr5fRFAZmYEuoqNGsDfxOPfHzTOYsohE:t7BspoqppOPv/h
                                                                                                                        MD5:7D259326E9642C8A13D30573DAFE3D90
                                                                                                                        SHA1:FC5BA1D2215D2785B5223F501CE0254973ADAD2C
                                                                                                                        SHA-256:CB6B4BB0B3FC19A3626BD33F40F4399E667DB405F4AC56B69B2B271816DF371B
                                                                                                                        SHA-512:DDB2E84A2F3E88EDA5F4C847A7BB836FC7EFF26D6D47D5E74BC27180F6F346B78CB5D4AA35040B6BE0F24E53651024EA59A9623F83C939762CCC216A567E4FBB
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@........................................................................[.A.o.....@............................................................................................................. . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..(...A.....................@...hryplxhh.@...Pj..>..................@...kfhnvius............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2772992
                                                                                                                        Entropy (8bit):6.521650735536046
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:/63t3PB+CacRBv0QxhYw07fXvSVmlcl+GOxi:/6d3PB+CacfTkHPv0mlcq8
                                                                                                                        MD5:46DFC30934FDF5265BB94682C9DF6CEF
                                                                                                                        SHA1:7B795842A8307A310B3175EFEA0091FEDA29B44A
                                                                                                                        SHA-256:04253EF0C2E4AA2B6A05A0E69EB0E01ED1C0052479FEBFA94C50C938E1FB15FD
                                                                                                                        SHA-512:711A760332345511FAA0E4DCD478E7B075EF8F9F2423A82D4961623CAE8DAB3C094D3092F06056778C2B984F6BFC9308370202C3085DE98531F7A197B7537F7C
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...juuuzidd..).......)..h..............@...vjgjjgcb. ....*......**.............@....taggant.@....*.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\im2o0Q8[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):656896
                                                                                                                        Entropy (8bit):7.102765645250726
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:vYZc9QBEsIHhUpYivTVCuhI80DlF3FXf/c:vwctsPpBTVCwI80r3FXfU
                                                                                                                        MD5:F6AF9584B24DD2A354C1BF537DE92823
                                                                                                                        SHA1:6B8C53DF9AF8899B5E63CBA976550E2B16F0CA4B
                                                                                                                        SHA-256:844EB87F5468D53E5FC694C975CF67867DE111AAE283E9EC7567ABFF23F6CF3C
                                                                                                                        SHA-512:6BFEE0A7436E88F92598CDA8C9D78D7DCD61638A02C5C3DF537AD2AF54D64EE78A546B0208CED0C7DAB272AAE65A34CCEB2C609EAD57200798A510C407B1E177
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fg..............0.............j@... ... ....@.. .......................`............@..................................@..O.... ..\....................@....................................................... ............... ..H............text...p.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B................L@......H.......`&..............................................................".(.....*>.(.......}....*....(....}.....(........{....r...p.c.l(....(....}....*..0........... .....&...%.....(.......+..*F...(.....`(.....*..0............(......,...(......*....0..:..........+*......f....&...%G.iY.R...&...%G.4X.R...X....i....-.*F...(......(.....*.0...........s......{....(.....(......(......{.....(......{....(......~....(......,R..r...p(........~....(........,1........(....( ...t........o

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2902528
                                                                                                                        Entropy (8bit):6.475560184949809
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:m/voM07L1LfFKO6tTJ53+tE6kLT+5KEY+Hz8846amFUfxqYOmsrEp+9ZCkgG7RzZ:JMg1Lfsv3B7cHYO0x4msrvZCTKR5bnD
                                                                                                                        MD5:6573693C2C60CF961BCCC52212548798
                                                                                                                        SHA1:2FEEBB1FA6BB01383984B487E81A2EA95A30DD46
                                                                                                                        SHA-256:69D63576968A32F9C76CA14BBF10993300FE50799A396F87CA58612C8838EF2F
                                                                                                                        SHA-512:8DA5314AEF5C69193589A49DB2EEB8853C4AC1ACABB823EC4BE0ACC4B9683B4E8C4C686DFF134C44A8191008C5B6DBF1484B163A418E1F160524927AFE6BD420
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........O...........@...........................O......=-...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...prrpsiqo..*...$...*..|..............@...wevongkt.....pO......$,.............@....taggant.0....O.."...(,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9147506
                                                                                                                        Entropy (8bit):6.93763600796956
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:196608:wtcGVQE2XmLX3ffGzJENyIqH1uW9BZ7G1ztSXQqPfu:wtc0Q3XmLESyIqfUTkfu
                                                                                                                        MD5:1C848C274240A7B5561550C4867C336F
                                                                                                                        SHA1:FE286E578F0652077CD858850939A152835DCC6C
                                                                                                                        SHA-256:8B5AF8709908FA9DA7792816D03FEB6287DED45A9CB5A5AFD4F061113638A092
                                                                                                                        SHA-512:7D96FD7398CE1A3199EA4CB0C7BC4E0F7B76692D9200DD27499B3F96E50A0B91CC77169AD542BE46C74FC09E13A84597D180C4C4F0FD23CE45E8C3FA99C8042D
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..Zp..p..p..;...x..;......;...z..`I..y..`I..a..`I..X..;...w..p.....;H..w..;H..q..;Hx.q..p...q..;H..q..Richp..........................PE..d...=d'g.........."....)......Z......Z.........@.............................._...........`.........................................@...........P.......,NX..`...:............^.....0...................................@...............(............................text............................... ..`.rdata...m.......n..................@..@.data....5... ......................@....pdata...:...`...<..................@..@.rsrc...,NX......PX..Z..............@..@.reloc........^.......^.............@..B........................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):656896
                                                                                                                        Entropy (8bit):7.102765645250726
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:vYZc9QBEsIHhUpYivTVCuhI80DlF3FXf/c:vwctsPpBTVCwI80r3FXfU
                                                                                                                        MD5:F6AF9584B24DD2A354C1BF537DE92823
                                                                                                                        SHA1:6B8C53DF9AF8899B5E63CBA976550E2B16F0CA4B
                                                                                                                        SHA-256:844EB87F5468D53E5FC694C975CF67867DE111AAE283E9EC7567ABFF23F6CF3C
                                                                                                                        SHA-512:6BFEE0A7436E88F92598CDA8C9D78D7DCD61638A02C5C3DF537AD2AF54D64EE78A546B0208CED0C7DAB272AAE65A34CCEB2C609EAD57200798A510C407B1E177
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fg..............0.............j@... ... ....@.. .......................`............@..................................@..O.... ..\....................@....................................................... ............... ..H............text...p.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B................L@......H.......`&..............................................................".(.....*>.(.......}....*....(....}.....(........{....r...p.c.l(....(....}....*..0........... .....&...%.....(.......+..*F...(.....`(.....*..0............(......,...(......*....0..:..........+*......f....&...%G.iY.R...&...%G.4X.R...X....i....-.*F...(......(.....*.0...........s......{....(.....(......(......{.....(......{....(......~....(......,R..r...p(........~....(........,1........(....( ...t........o

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4452864
                                                                                                                        Entropy (8bit):7.978607220579395
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:RTLUQszUoTnT6z2tbInFnuKAwIEukmS1sToNRSNwqZysV:ehT6SGFn/NI0sTo3SNV7V
                                                                                                                        MD5:4A09A81EBF7BEE536D365270FCB2F9AC
                                                                                                                        SHA1:5D6388BE06C33C95A80C35F960394EDA8BAF603E
                                                                                                                        SHA-256:05FD14FC6511AC0A2C1460C5A17470AE35993174BBCBE7E8D0E9A36CA148AA66
                                                                                                                        SHA-512:8BF24C9D3C18930FD0D0F83A6AB28204EBE178119B36C1034D0E594040EEDBA5849769A078EBD82DCCC0624B2CC3CD3815C5A928BDF34EF6C4DA79D422A4F7AD
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@..........................@........D...@... ............................._.r.s.....r.....................,....................................................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..8...r......H(.............@...cfpxwuqa.....p.......J(.............@...eexnemuq..............C.............@....taggant.0......."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1914880
                                                                                                                        Entropy (8bit):7.938506934987747
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:tEUr5fRFAZmYEuoqNGsDfxOPfHzTOYsohE:t7BspoqppOPv/h
                                                                                                                        MD5:7D259326E9642C8A13D30573DAFE3D90
                                                                                                                        SHA1:FC5BA1D2215D2785B5223F501CE0254973ADAD2C
                                                                                                                        SHA-256:CB6B4BB0B3FC19A3626BD33F40F4399E667DB405F4AC56B69B2B271816DF371B
                                                                                                                        SHA-512:DDB2E84A2F3E88EDA5F4C847A7BB836FC7EFF26D6D47D5E74BC27180F6F346B78CB5D4AA35040B6BE0F24E53651024EA59A9623F83C939762CCC216A567E4FBB
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@........................................................................[.A.o.....@............................................................................................................. . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..(...A.....................@...hryplxhh.@...Pj..>..................@...kfhnvius............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1840128
                                                                                                                        Entropy (8bit):7.949032397312145
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:8twBlET1vspzlAFWVEtAvg/qzrImxzRh02h5wiqHP+:UwBlExvwa0EtAo/Dmpb7hfMm
                                                                                                                        MD5:BF56486B61F1A99182F133AC8A3937E6
                                                                                                                        SHA1:36DF5535AA7AC556AE518109824E06C99EA99245
                                                                                                                        SHA-256:5FD0D95B773360005BA3A149D3F63E3998BE1C1B78E91D17D03C79D2168BBB1E
                                                                                                                        SHA-512:45E3B6019F707BC53408FE1862DF69446ED5BE8934DF97D0D92D6339AD55E9F4A8AFFBB831EE12305D4C9BED3098B3816F5FD450F70F1C2E1D0DFF5CA34B05F5
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................I...........@..........................@I.....$.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...cgayxfzg.....p/......^..............@...rvxmyzlm......I.....................@....taggant.0....I.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2902528
                                                                                                                        Entropy (8bit):6.475560184949809
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:m/voM07L1LfFKO6tTJ53+tE6kLT+5KEY+Hz8846amFUfxqYOmsrEp+9ZCkgG7RzZ:JMg1Lfsv3B7cHYO0x4msrvZCTKR5bnD
                                                                                                                        MD5:6573693C2C60CF961BCCC52212548798
                                                                                                                        SHA1:2FEEBB1FA6BB01383984B487E81A2EA95A30DD46
                                                                                                                        SHA-256:69D63576968A32F9C76CA14BBF10993300FE50799A396F87CA58612C8838EF2F
                                                                                                                        SHA-512:8DA5314AEF5C69193589A49DB2EEB8853C4AC1ACABB823EC4BE0ACC4B9683B4E8C4C686DFF134C44A8191008C5B6DBF1484B163A418E1F160524927AFE6BD420
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........O...........@...........................O......=-...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...prrpsiqo..*...$...*..|..............@...wevongkt.....pO......$,.............@....taggant.0....O.."...(,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):970240
                                                                                                                        Entropy (8bit):6.702697443144343
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8aLJSt:+TvC/MTQYxsWR7aLJ
                                                                                                                        MD5:FD7AA6A3EB85D4E29403D5EC15D19029
                                                                                                                        SHA1:934A72F6F8C67D220CBA9CF9940318FDE2794337
                                                                                                                        SHA-256:F6D1FC23858D2EA98530A86F79A6D21C28602AF0D38AA2B14A8D6DFDBDF290E1
                                                                                                                        SHA-512:6F3D1FEBC8C1B5931EDC322530989E4198DB8B0DE592C741E1814EA315EA96FF4F02AF485A89A945A32F0FA393050644F2453C1BE9B6D53C65D78E3BD05A5F59
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....fg..........".................w.............@..........................0......P.....@...@.......@.....................d...|....@...b.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....b...@...d..................@..@.reloc...u.......v...X..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2772992
                                                                                                                        Entropy (8bit):6.521650735536046
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:/63t3PB+CacRBv0QxhYw07fXvSVmlcl+GOxi:/6d3PB+CacfTkHPv0mlcq8
                                                                                                                        MD5:46DFC30934FDF5265BB94682C9DF6CEF
                                                                                                                        SHA1:7B795842A8307A310B3175EFEA0091FEDA29B44A
                                                                                                                        SHA-256:04253EF0C2E4AA2B6A05A0E69EB0E01ED1C0052479FEBFA94C50C938E1FB15FD
                                                                                                                        SHA-512:711A760332345511FAA0E4DCD478E7B075EF8F9F2423A82D4961623CAE8DAB3C094D3092F06056778C2B984F6BFC9308370202C3085DE98531F7A197B7537F7C
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...juuuzidd..).......)..h..............@...vjgjjgcb. ....*......**.............@....taggant.@....*.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\1019389001\8ccec30e2a.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4438776
                                                                                                                        Entropy (8bit):7.99505709582503
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                        MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                        SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                        SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                        SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

                                                                                                                        C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3185152
                                                                                                                        Entropy (8bit):6.675895747026635
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:49152:kp41N/sSySDz5y6RK5swYTz42X2GPc6mz1:K2spSDz5PK51YTEU21fz
                                                                                                                        MD5:7DC7A8D2E9D44CAE10B9B55B65585DDC
                                                                                                                        SHA1:3E78D38A9CE837926831EA27A0EFB1A262877334
                                                                                                                        SHA-256:EFBFD7A968DC584C166551F171937DA09DD94178B8C27E09F5EAB73D1641D0D0
                                                                                                                        SHA-512:E33388557FCEA27A9D5BE98EB2DC308BE8D5D8D3AFCB0E27D8834A96C95BA41F97C47F59DE8227FD13667E8692E9063162B1D60A84161F57E4F8905F6D6483FE
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................0...........@...........................0.....E.0...@.................................W...k.............................0.............................l.0..................................................... . ............................@....rsrc...............................@....idata ............................@...cqjlvrjj..).......).................@...fvbffgym......0......t0.............@....taggant.0....0.."...x0.............@...........................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):26
                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                        Malicious:true
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                        C:\Users\user\AppData\Roaming\gdi32.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):645120
                                                                                                                        Entropy (8bit):7.109389669783008
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:dWV+mldfRilDLOLVagVwITIi+aui1yXICiO8b:dWV+wileL1Txui1Ua
                                                                                                                        MD5:905363A3B55E87A2A2A4A9868FE676FB
                                                                                                                        SHA1:D46ECB7CBA202857F4825166AEED5FD31B7E815D
                                                                                                                        SHA-256:54951383B8490AC501EA3B9E34522309AC68483F5413F230DA3AD99342139B37
                                                                                                                        SHA-512:5AEACBEEDBF23105560A5C0E10455D0EFFB51DA1C0ECC4D16572A26D6F359C2214250CF11A8277F3FAA5CD81CCC9296825B783CAEB60702C37489BFDE735384D
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................A..................{w....................................................Rich...........................PE..L.....fg...........!.........&............................................................@..........................-..|...|-..P................................+..|#...............................#..@...............T............................text...(........................... ..`.rdata..Re.......f..................@..@.data........@.......$..............@....reloc...+.......,..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Tasks\skotes.job

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):284
                                                                                                                        Entropy (8bit):3.403916835536024
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:1CwyfdlVXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0lDKldt0:Iwylrf2RKQ1CGAFAjzvYRQVDKzt0
                                                                                                                        MD5:2900C60252CFC95804ADDE839D7D0310
                                                                                                                        SHA1:FD6133D6B4D838957DF0F85E379DCFE39D94A525
                                                                                                                        SHA-256:4A4A7BA428A94041E196A4441618B5EC99EC5E22FB54CFDD18D919AF8F483C85
                                                                                                                        SHA-512:CAFA2EE4E4BD5F295A3B55959416B925B2E047171CD2A911367A83EB36A4F47A58326BE8819F1716AFF115B93440A798B65473A4AB52680FD3493FE434C87AFC
                                                                                                                        Malicious:false
                                                                                                                        Reputation:unknown
                                                                                                                        Preview:........D.@..=:.!.5F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):6.675895747026635
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:file.exe
                                                                                                                        File size:3'185'152 bytes
                                                                                                                        MD5:7dc7a8d2e9d44cae10b9b55b65585ddc
                                                                                                                        SHA1:3e78d38a9ce837926831ea27a0efb1a262877334
                                                                                                                        SHA256:efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0
                                                                                                                        SHA512:e33388557fcea27a9d5be98eb2dc308be8d5d8d3afcb0e27d8834a96c95ba41f97c47f59de8227fd13667e8692e9063162b1d60a84161f57e4f8905f6d6483fe
                                                                                                                        SSDEEP:49152:kp41N/sSySDz5y6RK5swYTz42X2GPc6mz1:K2spSDz5PK51YTEU21fz
                                                                                                                        TLSH:ECE53A72E51DB5CBD88E12349427CD81EA5E43B50725C8E3AAECA4BE6E73CC21775C24
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x70a000
                                                                                                                        Entrypoint Section:.taggant
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:6
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:6
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:6
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        jmp 00007F9D6D0D6CCAh
                                                                                                                        vmread dword ptr [eax], esi
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add cl, ch
                                                                                                                        add byte ptr [eax], ah
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [edx+ecx], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        xor byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax+eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [edx+ecx], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add dword ptr [eax+00000000h], eax
                                                                                                                        add byte ptr [eax], al
                                                                                                                        adc byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add cl, byte ptr [edx]
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x5d4.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x308abc0x10cqjlvrjj
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x308a6c0x18cqjlvrjj
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        0x10000x680000x680005042a5d5edd12ea907e007b2d9ec7833False0.5640963040865384data7.110293266300148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .rsrc0x690000x5d40x6001e55db351164df1643ae87d7efa3ee0fFalse0.4303385416666667data5.417125179370491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        cqjlvrjj0x6b0000x29e0000x29dc009e40ce85e729caf246c41a183c24ac3dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        fvbffgym0x3090000x10000x400daf5bb14ca4e36f9a17009330a7c5d27False0.80859375data6.2618429939557805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .taggant0x30a0000x30000x2200a8d721d0057cd3ce94ed08567baf1e26False0.06732536764705882DOS executable (COM)0.806136303659089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_MANIFEST0x690700x3e4XML 1.0 document, ASCII text0.48092369477911645
                                                                                                                        RT_MANIFEST0x694540x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        kernel32.dlllstrcpy

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States

                                                                                                                        Network Behavior

                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:08:13:59
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                        Imagebase:0x890000
                                                                                                                        File size:3'185'152 bytes
                                                                                                                        MD5 hash:7DC7A8D2E9D44CAE10B9B55B65585DDC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:1
                                                                                                                        Start time:08:14:02
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                                                                                        Imagebase:0xc00000
                                                                                                                        File size:3'185'152 bytes
                                                                                                                        MD5 hash:7DC7A8D2E9D44CAE10B9B55B65585DDC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        • Detection: 55%, ReversingLabs
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:5
                                                                                                                        Start time:08:15:00
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                        Imagebase:0xc00000
                                                                                                                        File size:3'185'152 bytes
                                                                                                                        MD5 hash:7DC7A8D2E9D44CAE10B9B55B65585DDC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:7
                                                                                                                        Start time:08:15:23
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019345001\0KGPkVX.exe"
                                                                                                                        Imagebase:0x7ff68ccc0000
                                                                                                                        File size:9'147'506 bytes
                                                                                                                        MD5 hash:1C848C274240A7B5561550C4867C336F
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        • Detection: 5%, ReversingLabs
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:8
                                                                                                                        Start time:08:15:29
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe"
                                                                                                                        Imagebase:0x130000
                                                                                                                        File size:656'896 bytes
                                                                                                                        MD5 hash:F6AF9584B24DD2A354C1BF537DE92823
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:9
                                                                                                                        Start time:08:15:29
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:10
                                                                                                                        Start time:08:15:30
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                                                                        Imagebase:0x3c0000
                                                                                                                        File size:43'016 bytes
                                                                                                                        MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2727593553.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2715280406.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2727112349.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2721792567.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2725004156.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2726047574.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2723994040.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2723213122.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2723742687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2724742164.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2727851900.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2723498753.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2715664410.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2725469085.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2726296508.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2872775779.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2726799865.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2728097001.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2722240097.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2725233317.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2716488968.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2872129810.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2724446404.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2728337687.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2722936027.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2726544967.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2728624365.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.2714452159.0000000002806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:11
                                                                                                                        Start time:08:15:30
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:12
                                                                                                                        Start time:08:15:30
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:13
                                                                                                                        Start time:08:15:30
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:14
                                                                                                                        Start time:08:15:31
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:15
                                                                                                                        Start time:08:15:31
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:16
                                                                                                                        Start time:08:15:31
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:17
                                                                                                                        Start time:08:15:32
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:18
                                                                                                                        Start time:08:15:32
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:19
                                                                                                                        Start time:08:15:32
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:20
                                                                                                                        Start time:08:15:33
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:21
                                                                                                                        Start time:08:15:33
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:22
                                                                                                                        Start time:08:15:33
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:23
                                                                                                                        Start time:08:15:34
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:24
                                                                                                                        Start time:08:15:34
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:25
                                                                                                                        Start time:08:15:34
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:26
                                                                                                                        Start time:08:15:35
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:27
                                                                                                                        Start time:08:15:35
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:28
                                                                                                                        Start time:08:15:35
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:29
                                                                                                                        Start time:08:15:35
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:30
                                                                                                                        Start time:08:15:35
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:31
                                                                                                                        Start time:08:15:36
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:32
                                                                                                                        Start time:08:15:37
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:33
                                                                                                                        Start time:08:15:37
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:34
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:35
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:36
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId,Name,SerialNumber /format:csv"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:37
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:38
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:wmic cpu get ProcessorId,Name,SerialNumber /format:csv
                                                                                                                        Imagebase:0x7ff7d1530000
                                                                                                                        File size:576'000 bytes
                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:39
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid,IdentifyingNumber,Name /format:csv"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:40
                                                                                                                        Start time:08:15:38
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:41
                                                                                                                        Start time:08:15:39
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:wmic csproduct get uuid,IdentifyingNumber,Name /format:csv
                                                                                                                        Imagebase:0x7ff7d1530000
                                                                                                                        File size:576'000 bytes
                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:42
                                                                                                                        Start time:08:15:39
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "wmic bios get SerialNumber,Name /format:csv"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:43
                                                                                                                        Start time:08:15:39
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:44
                                                                                                                        Start time:08:15:39
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:wmic bios get SerialNumber,Name /format:csv
                                                                                                                        Imagebase:0x7ff7d1530000
                                                                                                                        File size:576'000 bytes
                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:45
                                                                                                                        Start time:08:15:42
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019383001\c12cb864c6.exe"
                                                                                                                        Imagebase:0xcb0000
                                                                                                                        File size:4'452'864 bytes
                                                                                                                        MD5 hash:4A09A81EBF7BEE536D365270FCB2F9AC
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:46
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:47
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:48
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\reg.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff7cbe40000
                                                                                                                        File size:77'312 bytes
                                                                                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:49
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "%Public%\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:50
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:51
                                                                                                                        Start time:08:15:47
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\reg.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Updater" /t REG_SZ /F /D "C:\Users\Public\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff7cbe40000
                                                                                                                        File size:77'312 bytes
                                                                                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:52
                                                                                                                        Start time:08:15:48
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:cmd.exe /C "C:\Users\Public\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:53
                                                                                                                        Start time:08:15:48
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:54
                                                                                                                        Start time:08:15:48
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        Imagebase:0x7ff67cdd0000
                                                                                                                        File size:9'147'506 bytes
                                                                                                                        MD5 hash:1C848C274240A7B5561550C4867C336F
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        • Detection: 5%, ReversingLabs
                                                                                                                        • Detection: 9%, Virustotal, Browse
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:55
                                                                                                                        Start time:08:15:50
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019384001\5b6f15dae8.exe"
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:1'914'880 bytes
                                                                                                                        MD5 hash:7D259326E9642C8A13D30573DAFE3D90
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:56
                                                                                                                        Start time:08:15:51
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:cmd.exe /C taskkill /F /PID 7720 & del /f /q "0KGPkVX.exe"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:57
                                                                                                                        Start time:08:15:51
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:58
                                                                                                                        Start time:08:15:51
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:taskkill /F /PID 7720
                                                                                                                        Imagebase:0x7ff71cef0000
                                                                                                                        File size:101'376 bytes
                                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:59
                                                                                                                        Start time:08:15:56
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:60
                                                                                                                        Start time:08:15:56
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:61
                                                                                                                        Start time:08:15:56
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:62
                                                                                                                        Start time:08:15:58
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Users\Public\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff67cdd0000
                                                                                                                        File size:9'147'506 bytes
                                                                                                                        MD5 hash:1C848C274240A7B5561550C4867C336F
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:63
                                                                                                                        Start time:08:15:59
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:64
                                                                                                                        Start time:08:15:59
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:65
                                                                                                                        Start time:08:15:59
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
                                                                                                                        Imagebase:0xb80000
                                                                                                                        File size:1'840'128 bytes
                                                                                                                        MD5 hash:BF56486B61F1A99182F133AC8A3937E6
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:66
                                                                                                                        Start time:08:15:59
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:67
                                                                                                                        Start time:08:16:06
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\Public\Netstat\taskhostw.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Users\Public\Netstat\taskhostw.exe"
                                                                                                                        Imagebase:0x7ff67cdd0000
                                                                                                                        File size:9'147'506 bytes
                                                                                                                        MD5 hash:1C848C274240A7B5561550C4867C336F
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:68
                                                                                                                        Start time:08:16:07
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:69
                                                                                                                        Start time:08:16:07
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:70
                                                                                                                        Start time:08:16:08
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:71
                                                                                                                        Start time:08:16:09
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                        File size:2'902'528 bytes
                                                                                                                        MD5 hash:6573693C2C60CF961BCCC52212548798
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000047.00000003.3027432883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:72
                                                                                                                        Start time:08:16:12
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:73
                                                                                                                        Start time:08:16:12
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:74
                                                                                                                        Start time:08:16:12
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:75
                                                                                                                        Start time:08:16:15
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019385001\e7a505b613.exe"
                                                                                                                        Imagebase:0xb80000
                                                                                                                        File size:1'840'128 bytes
                                                                                                                        MD5 hash:BF56486B61F1A99182F133AC8A3937E6
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:76
                                                                                                                        Start time:08:16:17
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
                                                                                                                        Imagebase:0xb30000
                                                                                                                        File size:970'240 bytes
                                                                                                                        MD5 hash:FD7AA6A3EB85D4E29403D5EC15D19029
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Avira
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:77
                                                                                                                        Start time:08:16:23
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                        Imagebase:0x7ff7b58f0000
                                                                                                                        File size:289'792 bytes
                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:78
                                                                                                                        Start time:08:16:23
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:79
                                                                                                                        Start time:08:16:23
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\tasklist.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:tasklist
                                                                                                                        Imagebase:0x7ff623840000
                                                                                                                        File size:106'496 bytes
                                                                                                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:80
                                                                                                                        Start time:08:16:24
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019386001\df1fc80896.exe"
                                                                                                                        Imagebase:0xa0000
                                                                                                                        File size:2'902'528 bytes
                                                                                                                        MD5 hash:6573693C2C60CF961BCCC52212548798
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:81
                                                                                                                        Start time:08:16:28
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                        Imagebase:0x7ff76e190000
                                                                                                                        File size:3'242'272 bytes
                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:82
                                                                                                                        Start time:08:16:28
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019388001\acfd211374.exe"
                                                                                                                        Imagebase:0x2f0000
                                                                                                                        File size:2'772'992 bytes
                                                                                                                        MD5 hash:46DFC30934FDF5265BB94682C9DF6CEF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:83
                                                                                                                        Start time:08:16:28
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                        Imagebase:0xdd0000
                                                                                                                        File size:74'240 bytes
                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:84
                                                                                                                        Start time:08:16:28
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:86
                                                                                                                        Start time:08:16:30
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2200,i,14515851997365013362,8630844059888402974,262144 /prefetch:8
                                                                                                                        Imagebase:0x7ff76e190000
                                                                                                                        File size:3'242'272 bytes
                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:87
                                                                                                                        Start time:08:16:33
                                                                                                                        Start date:21/12/2024
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1019387001\9d3c5f87fc.exe"
                                                                                                                        Imagebase:0xb30000
                                                                                                                        File size:970'240 bytes
                                                                                                                        MD5 hash:FD7AA6A3EB85D4E29403D5EC15D19029
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:false

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:3.6%
                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                          Signature Coverage:4.1%
                                                                                                                          Total number of Nodes:761
                                                                                                                          Total number of Limit Nodes:13
                                                                                                                          execution_graph 11949 893c8e 11950 893c98 11949->11950 11952 893ca5 11950->11952 11957 892410 11950->11957 11953 893ccf 11952->11953 11961 893810 11952->11961 11955 893810 4 API calls 11953->11955 11956 893cdb 11955->11956 11958 892424 11957->11958 11965 8ab52d 11958->11965 11962 89381c 11961->11962 12014 892440 11962->12014 11973 8c3aed 11965->11973 11967 89242a 11967->11952 11968 8ab5a5 ___std_exception_copy 11980 8ab1ad 11968->11980 11969 8ab598 11976 8aaf56 11969->11976 11984 8c4f29 11973->11984 11975 8ab555 11975->11967 11975->11968 11975->11969 11977 8aaf9f ___std_exception_copy 11976->11977 11979 8aafb2 shared_ptr 11977->11979 11990 8ab39f 11977->11990 11979->11967 11981 8ab1d8 11980->11981 11983 8ab1e1 shared_ptr 11980->11983 11982 8ab39f 5 API calls 11981->11982 11982->11983 11983->11967 11985 8c4f2e __cftof 11984->11985 11985->11975 11986 8cd634 __cftof 4 API calls 11985->11986 11989 8c8bfc __cftof 11985->11989 11986->11989 11987 8c65ed __cftof 3 API calls 11988 8c8c2f 11987->11988 11989->11987 12001 8abedf 11990->12001 11993 8ab3e8 11993->11979 12010 8acc31 12001->12010 12004 8c6cbb 12005 8c6cc7 __cftof 12004->12005 12006 8ca671 __cftof 4 API calls 12005->12006 12009 8c6ccc 12006->12009 12007 8c8bec __cftof 4 API calls 12008 8c6cf6 12007->12008 12009->12007 12011 8acc3f InitOnceExecuteOnce 12010->12011 12013 8ab3e1 12010->12013 12011->12013 12013->11993 12013->12004 12017 8ab5d6 12014->12017 12016 892472 12019 8ab5f1 std::_Throw_future_error 12017->12019 12018 8c8bec __cftof 4 API calls 12020 8ab69f 12018->12020 12019->12018 12021 8ab658 __cftof __floor_pentium4 12019->12021 12021->12016 12187 8c6a44 12188 8c6a5c 12187->12188 12189 8c6a52 12187->12189 12192 8c698d 12188->12192 12191 8c6a76 ___free_lconv_mon 12193 8c690a __cftof 4 API calls 12192->12193 12194 8c699f 12193->12194 12194->12191 11705 898780 11706 898786 11705->11706 11712 8c6729 11706->11712 11709 8987a6 11711 8987a0 11719 8c6672 11712->11719 11714 898793 11714->11709 11715 8c67b7 11714->11715 11716 8c67c3 __cftof 11715->11716 11718 8c67cd __cftof 11716->11718 11735 8c6740 11716->11735 11718->11711 11720 8c667e __cftof 11719->11720 11722 8c6685 __cftof 11720->11722 11723 8ca8c3 11720->11723 11722->11714 11724 8ca8cf __cftof 11723->11724 11727 8ca967 11724->11727 11726 8ca8ea 11726->11722 11730 8ca98a 11727->11730 11729 8ca9d0 ___free_lconv_mon 11729->11726 11730->11729 11731 8cd82f 11730->11731 11734 8cd83c __cftof 11731->11734 11732 8cd867 RtlAllocateHeap 11733 8cd87a 11732->11733 11732->11734 11733->11729 11734->11732 11734->11733 11736 8c6762 11735->11736 11738 8c674d __cftof ___free_lconv_mon 11735->11738 11736->11738 11739 8ca038 11736->11739 11738->11718 11740 8ca050 11739->11740 11742 8ca075 11739->11742 11740->11742 11743 8d0439 11740->11743 11742->11738 11744 8d0445 __cftof 11743->11744 11746 8d044d __cftof __dosmaperr 11744->11746 11747 8d052b 11744->11747 11746->11742 11748 8d054d 11747->11748 11749 8d0551 __cftof __dosmaperr 11747->11749 11748->11749 11753 8d00d2 11748->11753 11749->11746 11755 8d00e3 11753->11755 11754 8d0106 11754->11749 11757 8cfcc0 11754->11757 11755->11754 11764 8ca671 11755->11764 11758 8cfd0d 11757->11758 11797 8c690a 11758->11797 11761 8cffbc __floor_pentium4 11761->11749 11762 8cc719 GetPEB ExitProcess GetPEB RtlAllocateHeap __fassign 11763 8cfd1c __cftof 11762->11763 11763->11761 11763->11762 11805 8cb67d 11763->11805 11766 8ca67b __cftof 11764->11766 11765 8ca694 __cftof ___free_lconv_mon 11768 8ca722 11765->11768 11771 8c8bec 11765->11771 11766->11765 11767 8cd82f __cftof RtlAllocateHeap 11766->11767 11767->11765 11768->11754 11772 8c8bf1 __cftof 11771->11772 11776 8c8bfc __cftof 11772->11776 11777 8cd634 11772->11777 11791 8c65ed 11776->11791 11779 8cd640 __cftof 11777->11779 11778 8cd69c __cftof 11778->11776 11779->11778 11780 8cd81b __cftof 11779->11780 11781 8cd726 11779->11781 11788 8cd751 __cftof 11779->11788 11782 8c65ed __cftof 3 API calls 11780->11782 11781->11788 11794 8cd62b 11781->11794 11783 8cd82e 11782->11783 11785 8ca671 __cftof 4 API calls 11789 8cd7a5 11785->11789 11787 8cd62b __cftof 4 API calls 11787->11788 11788->11778 11788->11785 11788->11789 11789->11778 11790 8ca671 __cftof 4 API calls 11789->11790 11790->11778 11792 8c64c7 __cftof 3 API calls 11791->11792 11793 8c65fe 11792->11793 11795 8ca671 __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11794->11795 11796 8cd630 11795->11796 11796->11787 11798 8c692a 11797->11798 11799 8c6921 11797->11799 11798->11799 11800 8ca671 __cftof 4 API calls 11798->11800 11799->11763 11801 8c694a 11800->11801 11810 8cb5fb 11801->11810 11806 8ca671 __cftof 4 API calls 11805->11806 11807 8cb688 11806->11807 11808 8cb5fb __cftof 4 API calls 11807->11808 11809 8cb698 11808->11809 11809->11763 11811 8cb60e 11810->11811 11813 8c6960 11810->11813 11811->11813 11818 8cf5ab 11811->11818 11814 8cb628 11813->11814 11815 8cb63b 11814->11815 11816 8cb650 11814->11816 11815->11816 11825 8ce6b1 11815->11825 11816->11799 11819 8cf5b7 __cftof 11818->11819 11820 8ca671 __cftof 4 API calls 11819->11820 11822 8cf5c0 __cftof 11820->11822 11821 8cf606 11821->11813 11822->11821 11823 8c8bec __cftof 4 API calls 11822->11823 11824 8cf62b 11823->11824 11826 8ca671 __cftof 4 API calls 11825->11826 11827 8ce6bb 11826->11827 11830 8ce5c9 11827->11830 11829 8ce6c1 11829->11816 11833 8ce5d5 __cftof ___free_lconv_mon 11830->11833 11831 8ce5f6 11831->11829 11832 8c8bec __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11834 8ce668 11832->11834 11833->11831 11833->11832 11835 8ce6a4 11834->11835 11836 8ca72e __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11834->11836 11835->11829 11837 8ce695 11836->11837 11838 8ce4b0 __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11837->11838 11838->11835 12144 8920c0 12145 8ac68b __Mtx_init_in_situ 2 API calls 12144->12145 12146 8920cc 12145->12146 12147 89e0c0 recv 12148 89e122 recv 12147->12148 12149 89e157 recv 12148->12149 12150 89e191 12149->12150 12151 89e2b3 __floor_pentium4 12150->12151 12152 8ac6ac GetSystemTimePreciseAsFileTime 12150->12152 12153 89e2ee 12152->12153 12154 8ac26a 5 API calls 12153->12154 12155 89e358 12154->12155 12178 892e00 12179 892e28 12178->12179 12180 8ac68b __Mtx_init_in_situ 2 API calls 12179->12180 12181 892e33 12180->12181 12210 898980 12212 898aea 12210->12212 12213 8989d8 shared_ptr 12210->12213 12211 895c10 6 API calls 12211->12213 12213->12211 12213->12212 12156 8ad0c7 12157 8ad0d7 12156->12157 12158 8ad17f 12157->12158 12159 8ad17b RtlWakeAllConditionVariable 12157->12159 12651 899f44 12652 899f4c shared_ptr 12651->12652 12653 89a953 Sleep CreateMutexA 12652->12653 12655 89a01f shared_ptr 12652->12655 12654 89a98e 12653->12654 12195 893c47 12196 893c51 12195->12196 12198 8932d0 6 API calls 12196->12198 12199 893c5f 12196->12199 12197 893c68 12198->12199 12199->12197 12200 893810 4 API calls 12199->12200 12201 893cdb 12200->12201 12656 89215a 12659 8ac6fc 12656->12659 12658 892164 12661 8ac70c 12659->12661 12662 8ac724 12659->12662 12661->12662 12663 8acfbe 12661->12663 12662->12658 12664 8accd5 __Mtx_init_in_situ InitializeCriticalSectionEx 12663->12664 12665 8acfd0 12664->12665 12665->12661 12160 899adc 12161 899aea 12160->12161 12165 899afe shared_ptr 12160->12165 12162 89a917 12161->12162 12161->12165 12163 89a953 Sleep CreateMutexA 12162->12163 12164 89a98e 12163->12164 12166 895c10 6 API calls 12165->12166 12167 899b7c 12166->12167 12168 898b30 6 API calls 12167->12168 12169 899b8d 12168->12169 12170 895c10 6 API calls 12169->12170 12171 899cb1 12170->12171 12172 898b30 6 API calls 12171->12172 12173 899cc2 12172->12173 12214 893f9f 12215 893fad 12214->12215 12216 893fb6 12214->12216 12217 892410 5 API calls 12215->12217 12217->12216 12218 892b90 12219 892bce 12218->12219 12222 8ab7fb 12219->12222 12221 892bdb shared_ptr __floor_pentium4 12223 8ab817 12222->12223 12224 8ab807 12222->12224 12223->12221 12224->12223 12226 8aca78 12224->12226 12227 8aca8d TpReleaseWork 12226->12227 12227->12223 12486 892b10 12487 892b1a 12486->12487 12488 892b1c 12486->12488 12489 8ac26a 5 API calls 12488->12489 12490 892b22 12489->12490 12309 8a87d0 12310 8a882a __cftof 12309->12310 12316 8a9bb0 12310->12316 12314 8a88d9 std::_Throw_future_error 12315 8a886c __floor_pentium4 12329 8a9ef0 12316->12329 12318 8a9be5 12333 892ce0 12318->12333 12320 8a9c16 12342 8a9f70 12320->12342 12322 8a8854 12322->12315 12323 8943f0 12322->12323 12324 8abedf InitOnceExecuteOnce 12323->12324 12325 89440a 12324->12325 12326 894411 12325->12326 12327 8c6cbb 4 API calls 12325->12327 12326->12314 12328 894424 12327->12328 12330 8a9f0c 12329->12330 12331 8ac68b __Mtx_init_in_situ 2 API calls 12330->12331 12332 8a9f17 12331->12332 12332->12318 12334 892d1d 12333->12334 12335 8abedf InitOnceExecuteOnce 12334->12335 12336 892d46 12335->12336 12337 892d88 12336->12337 12338 892d51 __floor_pentium4 12336->12338 12347 8abef7 12336->12347 12340 892440 4 API calls 12337->12340 12338->12320 12341 892d9b 12340->12341 12341->12320 12343 8a9fef shared_ptr 12342->12343 12345 8aa058 12343->12345 12360 8aa210 12343->12360 12346 8aa03b 12346->12322 12348 8abf03 std::_Throw_future_error 12347->12348 12349 8abf6a 12348->12349 12350 8abf73 12348->12350 12354 8abe7f 12349->12354 12352 892ae0 5 API calls 12350->12352 12353 8abf6f 12352->12353 12353->12337 12355 8acc31 InitOnceExecuteOnce 12354->12355 12356 8abe97 12355->12356 12357 8abe9e 12356->12357 12358 8c6cbb 4 API calls 12356->12358 12357->12353 12359 8abea7 12358->12359 12359->12353 12361 8aa290 12360->12361 12367 8a71d0 12361->12367 12363 8aa2cc shared_ptr 12364 8aa4be shared_ptr 12363->12364 12375 893ee0 12363->12375 12364->12346 12366 8aa4a6 12366->12346 12368 8a7211 12367->12368 12381 893970 12368->12381 12370 8a7446 __floor_pentium4 12370->12363 12371 8a72ad __cftof 12371->12370 12372 8ac68b __Mtx_init_in_situ 2 API calls 12371->12372 12373 8a7401 12372->12373 12386 892ec0 12373->12386 12376 893f48 12375->12376 12380 893f1e 12375->12380 12379 893f58 12376->12379 12424 892c00 12376->12424 12379->12366 12380->12366 12382 8ac68b __Mtx_init_in_situ 2 API calls 12381->12382 12383 8939a7 12382->12383 12384 8ac68b __Mtx_init_in_situ 2 API calls 12383->12384 12385 8939e6 12384->12385 12385->12371 12387 892f7e GetCurrentThreadId 12386->12387 12388 892f06 12386->12388 12391 892f94 12387->12391 12406 892fef 12387->12406 12389 8ac6ac GetSystemTimePreciseAsFileTime 12388->12389 12390 892f12 12389->12390 12392 89301e 12390->12392 12398 892f1d __Mtx_unlock 12390->12398 12395 8ac6ac GetSystemTimePreciseAsFileTime 12391->12395 12391->12406 12393 8ac26a 5 API calls 12392->12393 12394 893024 12393->12394 12396 8ac26a 5 API calls 12394->12396 12397 892fb9 12395->12397 12396->12397 12400 8ac26a 5 API calls 12397->12400 12401 892fc0 __Mtx_unlock 12397->12401 12398->12394 12399 892f6f 12398->12399 12399->12387 12399->12406 12400->12401 12402 8ac26a 5 API calls 12401->12402 12403 892fd8 __Cnd_broadcast 12401->12403 12402->12403 12404 8ac26a 5 API calls 12403->12404 12403->12406 12405 89303c 12404->12405 12407 8ac6ac GetSystemTimePreciseAsFileTime 12405->12407 12406->12370 12415 893080 shared_ptr __Mtx_unlock 12407->12415 12408 8931c5 12409 8ac26a 5 API calls 12408->12409 12410 8931cb 12409->12410 12411 8ac26a 5 API calls 12410->12411 12412 8931d1 12411->12412 12413 8ac26a 5 API calls 12412->12413 12421 893193 __Mtx_unlock 12413->12421 12414 8931a7 __floor_pentium4 12414->12370 12415->12408 12415->12410 12415->12414 12417 893132 GetCurrentThreadId 12415->12417 12416 8ac26a 5 API calls 12418 8931dd 12416->12418 12417->12414 12419 89313b 12417->12419 12419->12414 12420 8ac6ac GetSystemTimePreciseAsFileTime 12419->12420 12422 89315f 12420->12422 12421->12414 12421->12416 12422->12408 12422->12412 12422->12421 12423 8abd4c GetSystemTimePreciseAsFileTime 12422->12423 12423->12422 12425 892c0e 12424->12425 12431 8ab847 12425->12431 12427 892c42 12428 892c49 12427->12428 12437 892c80 12427->12437 12428->12366 12430 892c58 std::_Throw_future_error 12432 8ab854 12431->12432 12436 8ab873 Concurrency::details::_Reschedule_chore 12431->12436 12440 8acb77 12432->12440 12434 8ab864 12434->12436 12442 8ab81e 12434->12442 12436->12427 12438 8ab7fb TpReleaseWork 12437->12438 12439 892cb2 shared_ptr 12438->12439 12439->12430 12441 8acb92 CreateThreadpoolWork 12440->12441 12441->12434 12443 8ab827 Concurrency::details::_Reschedule_chore 12442->12443 12446 8acdcc 12443->12446 12445 8ab841 12445->12436 12447 8acde1 TpPostWork 12446->12447 12447->12445 12491 8ad111 12492 8ad122 12491->12492 12493 8ad12a 12492->12493 12495 8ad199 12492->12495 12496 8ad1a7 SleepConditionVariableCS 12495->12496 12498 8ad1c0 12495->12498 12496->12498 12498->12492 11847 89a856 11848 89a870 11847->11848 11849 89a892 shared_ptr 11847->11849 11848->11849 11851 89a94e 11848->11851 11853 89a8a0 11849->11853 11863 897d30 11849->11863 11854 89a953 Sleep CreateMutexA 11851->11854 11852 89a8ae 11852->11853 11855 897d30 7 API calls 11852->11855 11857 89a98e 11854->11857 11856 89a8b8 11855->11856 11856->11853 11858 897d30 7 API calls 11856->11858 11859 89a8c2 11858->11859 11859->11853 11860 897d30 7 API calls 11859->11860 11861 89a8cc 11860->11861 11861->11853 11862 897d30 7 API calls 11861->11862 11862->11853 11864 897d96 __cftof 11863->11864 11901 897ee8 shared_ptr __floor_pentium4 11864->11901 11902 895c10 11864->11902 11866 897dd2 11867 895c10 6 API calls 11866->11867 11869 897dff shared_ptr 11867->11869 11868 897ed3 GetNativeSystemInfo 11870 897ed7 11868->11870 11869->11868 11869->11870 11869->11901 11871 898019 11870->11871 11872 897f3f 11870->11872 11870->11901 11874 895c10 6 API calls 11871->11874 11873 895c10 6 API calls 11872->11873 11875 897f67 11873->11875 11876 89804c 11874->11876 11877 895c10 6 API calls 11875->11877 11878 895c10 6 API calls 11876->11878 11879 897f86 11877->11879 11880 89806b 11878->11880 11912 8c8bbe 11879->11912 11882 895c10 6 API calls 11880->11882 11883 8980a3 11882->11883 11884 895c10 6 API calls 11883->11884 11885 8980f4 11884->11885 11886 895c10 6 API calls 11885->11886 11887 898113 11886->11887 11888 895c10 6 API calls 11887->11888 11889 89814b 11888->11889 11890 895c10 6 API calls 11889->11890 11891 89819c 11890->11891 11892 895c10 6 API calls 11891->11892 11893 8981bb 11892->11893 11894 895c10 6 API calls 11893->11894 11895 8981f3 11894->11895 11896 895c10 6 API calls 11895->11896 11897 898244 11896->11897 11898 895c10 6 API calls 11897->11898 11899 898263 11898->11899 11900 895c10 6 API calls 11899->11900 11900->11901 11901->11852 11903 895c54 11902->11903 11915 894b30 11903->11915 11905 895d17 shared_ptr __floor_pentium4 11905->11866 11906 895c7b __cftof 11906->11905 11907 895da7 RegOpenKeyExA 11906->11907 11908 895e00 RegCloseKey 11907->11908 11910 895e26 11908->11910 11909 895ea6 shared_ptr __floor_pentium4 11909->11866 11910->11909 11911 895c10 4 API calls 11910->11911 11943 8c8868 11912->11943 11914 8c8bdc 11914->11901 11917 894ce5 11915->11917 11918 894b92 11915->11918 11917->11906 11918->11917 11919 8c6da6 11918->11919 11920 8c6db4 11919->11920 11923 8c6dc2 __fassign 11919->11923 11924 8c6d19 11920->11924 11923->11918 11925 8c690a __cftof 4 API calls 11924->11925 11926 8c6d2c 11925->11926 11929 8c6d52 11926->11929 11928 8c6d3d 11928->11918 11930 8c6d8f 11929->11930 11931 8c6d5f 11929->11931 11933 8cb67d 4 API calls 11930->11933 11932 8c6d6e __fassign 11931->11932 11935 8cb6a1 11931->11935 11932->11928 11933->11932 11936 8c690a __cftof 4 API calls 11935->11936 11937 8cb6be 11936->11937 11939 8cb6ce __floor_pentium4 11937->11939 11940 8cf1bf 11937->11940 11939->11932 11941 8c690a __cftof 4 API calls 11940->11941 11942 8cf1df __cftof __fassign __freea __floor_pentium4 11941->11942 11942->11939 11944 8c887a 11943->11944 11945 8c690a __cftof 4 API calls 11944->11945 11947 8c888f __cftof 11944->11947 11948 8c88bf 11945->11948 11946 8c6d52 4 API calls 11946->11948 11947->11914 11948->11946 11948->11947 11689 8c6629 11692 8c64c7 11689->11692 11693 8c64d5 __cftof 11692->11693 11694 8c6520 11693->11694 11697 8c652b 11693->11697 11696 8c652a 11703 8ca302 GetPEB 11697->11703 11699 8c6535 11700 8c654a __cftof 11699->11700 11701 8c653a GetPEB 11699->11701 11702 8c6562 ExitProcess 11700->11702 11701->11700 11704 8ca31c __cftof 11703->11704 11704->11699 11839 89b1a0 11840 89b1f2 11839->11840 11841 89b3ad CoInitialize 11840->11841 11842 89b3fa shared_ptr __floor_pentium4 11841->11842 12027 8920a0 12030 8ac68b 12027->12030 12029 8920ac 12033 8ac3d5 12030->12033 12032 8ac69b 12032->12029 12034 8ac3eb 12033->12034 12035 8ac3e1 12033->12035 12034->12032 12036 8ac39e 12035->12036 12037 8ac3be 12035->12037 12036->12034 12042 8accd5 12036->12042 12046 8acd0a 12037->12046 12040 8ac3d0 12040->12032 12043 8acce3 InitializeCriticalSectionEx 12042->12043 12045 8ac3b7 12042->12045 12043->12045 12045->12032 12047 8acd1f RtlInitializeConditionVariable 12046->12047 12047->12040 12448 893fe0 12449 894022 12448->12449 12450 89408c 12449->12450 12451 8940d2 12449->12451 12454 894035 __floor_pentium4 12449->12454 12455 8935e0 12450->12455 12452 893ee0 3 API calls 12451->12452 12452->12454 12456 893616 12455->12456 12457 892ce0 5 API calls 12456->12457 12459 89364e Concurrency::cancel_current_task shared_ptr __floor_pentium4 12456->12459 12458 89369e 12457->12458 12458->12459 12460 892c00 3 API calls 12458->12460 12459->12454 12460->12459 12499 894120 12500 89416a 12499->12500 12501 893ee0 3 API calls 12500->12501 12502 8941b2 Concurrency::details::_ContextCallback::_CallInContext __floor_pentium4 12500->12502 12501->12502 12503 89af20 12504 89af63 12503->12504 12515 8c6660 12504->12515 12509 8c663f 4 API calls 12510 89af80 12509->12510 12511 8c663f 4 API calls 12510->12511 12512 89af98 __cftof 12511->12512 12521 8955f0 12512->12521 12514 89b04e shared_ptr __floor_pentium4 12516 8ca671 __cftof 4 API calls 12515->12516 12517 89af69 12516->12517 12518 8c663f 12517->12518 12519 8ca671 __cftof 4 API calls 12518->12519 12520 89af71 12519->12520 12520->12509 12522 895610 12521->12522 12524 895710 __floor_pentium4 12522->12524 12525 8922c0 12522->12525 12524->12514 12528 892280 12525->12528 12529 892296 12528->12529 12532 8c87f8 12529->12532 12535 8c7609 12532->12535 12534 8922a4 12534->12522 12536 8c7649 12535->12536 12537 8c7631 __cftof __floor_pentium4 12535->12537 12536->12537 12538 8c690a __cftof 4 API calls 12536->12538 12537->12534 12539 8c7661 12538->12539 12541 8c7bc4 12539->12541 12543 8c7bd5 12541->12543 12542 8c7be4 __cftof 12542->12537 12543->12542 12548 8c8168 12543->12548 12553 8c7dc2 12543->12553 12558 8c7de8 12543->12558 12568 8c7f36 12543->12568 12549 8c8178 12548->12549 12550 8c8171 12548->12550 12549->12543 12577 8c7b50 12550->12577 12552 8c8177 12552->12543 12554 8c7dcb 12553->12554 12555 8c7dd2 12553->12555 12556 8c7b50 4 API calls 12554->12556 12555->12543 12557 8c7dd1 12556->12557 12557->12543 12559 8c7e09 __cftof 12558->12559 12561 8c7def 12558->12561 12559->12543 12560 8c7f69 12566 8c7f77 12560->12566 12567 8c7f8b 12560->12567 12585 8c8241 12560->12585 12561->12559 12561->12560 12563 8c7fa2 12561->12563 12561->12566 12563->12567 12581 8c8390 12563->12581 12566->12567 12589 8c86ea 12566->12589 12567->12543 12569 8c7f69 12568->12569 12570 8c7f4f 12568->12570 12572 8c7f8b 12569->12572 12573 8c8241 4 API calls 12569->12573 12575 8c7f77 12569->12575 12570->12569 12571 8c7fa2 12570->12571 12570->12575 12571->12572 12574 8c8390 4 API calls 12571->12574 12572->12543 12573->12575 12574->12575 12575->12572 12576 8c86ea 4 API calls 12575->12576 12576->12572 12578 8c7b62 12577->12578 12579 8c8ab6 4 API calls 12578->12579 12580 8c7b85 12579->12580 12580->12552 12582 8c83ab 12581->12582 12583 8c83dd 12582->12583 12593 8cc88e 12582->12593 12583->12566 12586 8c825a 12585->12586 12600 8cd3c8 12586->12600 12588 8c830d 12588->12566 12588->12588 12590 8c875d __floor_pentium4 12589->12590 12592 8c8707 12589->12592 12590->12567 12591 8cc88e __cftof 4 API calls 12591->12592 12592->12590 12592->12591 12596 8cc733 12593->12596 12595 8cc8a6 12595->12583 12597 8cc743 12596->12597 12598 8c690a __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 12597->12598 12599 8cc748 __cftof 12597->12599 12598->12599 12599->12595 12603 8cd3ee 12600->12603 12612 8cd3d8 __cftof 12600->12612 12601 8cd485 12605 8cd4ae 12601->12605 12606 8cd4e4 12601->12606 12602 8cd48a 12613 8ccbdf 12602->12613 12603->12601 12603->12602 12603->12612 12608 8cd4cc 12605->12608 12609 8cd4b3 12605->12609 12630 8ccef8 12606->12630 12626 8cd0e2 12608->12626 12619 8cd23e 12609->12619 12612->12588 12614 8ccbf1 12613->12614 12615 8c690a __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 12614->12615 12616 8ccc05 12615->12616 12617 8ccef8 GetPEB ExitProcess GetPEB RtlAllocateHeap 12616->12617 12618 8ccc0d __alldvrm __cftof _strrchr 12616->12618 12617->12618 12618->12612 12620 8cd26c 12619->12620 12621 8cd2de 12620->12621 12623 8cd2b7 12620->12623 12624 8cd2a5 12620->12624 12622 8ccf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 12621->12622 12622->12624 12625 8cd16d GetPEB ExitProcess GetPEB RtlAllocateHeap 12623->12625 12624->12612 12625->12624 12627 8cd10f 12626->12627 12628 8cd14e 12627->12628 12629 8cd16d GetPEB ExitProcess GetPEB RtlAllocateHeap 12627->12629 12628->12612 12629->12628 12631 8ccf10 12630->12631 12632 8ccf75 12631->12632 12633 8ccf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 12631->12633 12632->12612 12633->12632 12233 899ba5 12234 899ba7 12233->12234 12235 895c10 6 API calls 12234->12235 12236 899cb1 12235->12236 12237 898b30 6 API calls 12236->12237 12238 899cc2 12237->12238 12048 899ab8 12050 899acc 12048->12050 12051 899b08 12050->12051 12052 895c10 6 API calls 12051->12052 12053 899b7c 12052->12053 12060 898b30 12053->12060 12055 899b8d 12056 895c10 6 API calls 12055->12056 12057 899cb1 12056->12057 12058 898b30 6 API calls 12057->12058 12059 899cc2 12058->12059 12061 898b7c 12060->12061 12062 895c10 6 API calls 12061->12062 12063 898b97 shared_ptr __floor_pentium4 12062->12063 12063->12055 12064 8942b0 12067 893ac0 12064->12067 12066 8942bb shared_ptr 12069 893af9 12067->12069 12068 893b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 12068->12066 12069->12068 12072 893c38 12069->12072 12077 8932d0 12069->12077 12071 8932d0 6 API calls 12074 893c5f 12071->12074 12072->12071 12072->12074 12073 893c68 12073->12066 12074->12073 12075 893810 4 API calls 12074->12075 12076 893cdb 12075->12076 12096 8ac6ac 12077->12096 12079 89336b 12102 8ac26a 12079->12102 12081 89333c __Mtx_unlock 12083 8ac26a 5 API calls 12081->12083 12084 893350 __floor_pentium4 12081->12084 12085 893377 12083->12085 12084->12072 12087 8ac6ac GetSystemTimePreciseAsFileTime 12085->12087 12086 893314 12086->12079 12086->12081 12099 8abd4c 12086->12099 12088 8933af 12087->12088 12089 8ac26a 5 API calls 12088->12089 12090 8933b6 __Cnd_broadcast 12088->12090 12089->12090 12091 8ac26a 5 API calls 12090->12091 12092 8933d7 __Mtx_unlock 12090->12092 12091->12092 12093 8ac26a 5 API calls 12092->12093 12094 8933eb 12092->12094 12095 89340e 12093->12095 12094->12072 12095->12072 12106 8ac452 12096->12106 12098 8ac6b9 12098->12086 12123 8abb72 12099->12123 12101 8abd5c 12101->12086 12103 8ac292 12102->12103 12104 8ac274 12102->12104 12103->12103 12104->12103 12129 8ac297 12104->12129 12107 8ac47a __floor_pentium4 12106->12107 12108 8ac4a8 12106->12108 12107->12098 12108->12107 12112 8acf6b 12108->12112 12110 8ac4fd __Xtime_diff_to_millis2 12110->12107 12111 8acf6b _xtime_get GetSystemTimePreciseAsFileTime 12110->12111 12111->12110 12113 8acf7a 12112->12113 12114 8acf87 __aulldvrm 12112->12114 12113->12114 12116 8acf44 12113->12116 12114->12110 12119 8acbea 12116->12119 12120 8acbfb GetSystemTimePreciseAsFileTime 12119->12120 12121 8acc07 12119->12121 12120->12121 12121->12114 12124 8abb9c 12123->12124 12125 8acf6b _xtime_get GetSystemTimePreciseAsFileTime 12124->12125 12128 8abba4 __Xtime_diff_to_millis2 __floor_pentium4 12124->12128 12126 8abbcf __Xtime_diff_to_millis2 12125->12126 12127 8acf6b _xtime_get GetSystemTimePreciseAsFileTime 12126->12127 12126->12128 12127->12128 12128->12101 12132 892ae0 12129->12132 12131 8ac2ae std::_Throw_future_error 12133 8abedf InitOnceExecuteOnce 12132->12133 12135 892af4 __cftof 12133->12135 12134 892aff 12134->12131 12135->12134 12136 8ca671 __cftof 4 API calls 12135->12136 12137 8c6ccc 12136->12137 12138 8c8bec __cftof 4 API calls 12137->12138 12139 8c6cf6 12138->12139 12239 8977b0 12240 8977f1 shared_ptr 12239->12240 12241 895c10 6 API calls 12240->12241 12243 897883 shared_ptr 12240->12243 12241->12243 12242 895c10 6 API calls 12245 8979e3 12242->12245 12243->12242 12244 897953 shared_ptr __floor_pentium4 12243->12244 12246 895c10 6 API calls 12245->12246 12247 897a15 shared_ptr 12246->12247 12248 895c10 6 API calls 12247->12248 12253 897aa5 shared_ptr __floor_pentium4 12247->12253 12249 897b7d 12248->12249 12250 895c10 6 API calls 12249->12250 12251 897ba0 12250->12251 12252 895c10 6 API calls 12251->12252 12252->12253 12254 8987b0 12255 8987b8 GetFileAttributesA 12254->12255 12256 8987b6 12254->12256 12257 8987c4 12255->12257 12256->12255 12634 898d30 12635 898d80 12634->12635 12636 895c10 6 API calls 12635->12636 12637 898d9a shared_ptr __floor_pentium4 12636->12637 12666 892170 12667 8ac6fc InitializeCriticalSectionEx 12666->12667 12668 89217a 12667->12668 12258 8a47b0 12260 8a4eed 12258->12260 12259 8a4f59 shared_ptr __floor_pentium4 12260->12259 12261 897d30 7 API calls 12260->12261 12262 8a50ed 12261->12262 12297 898380 12262->12297 12264 8a5106 12265 895c10 6 API calls 12264->12265 12266 8a5155 12265->12266 12267 895c10 6 API calls 12266->12267 12268 8a5171 12267->12268 12303 899a00 12268->12303 12298 8983e5 __cftof 12297->12298 12299 895c10 6 API calls 12298->12299 12302 898403 shared_ptr __floor_pentium4 12298->12302 12300 898427 12299->12300 12301 895c10 6 API calls 12300->12301 12301->12302 12302->12264 12304 899a3f 12303->12304 12305 895c10 6 API calls 12304->12305 12306 899a47 12305->12306 12307 898b30 6 API calls 12306->12307 12308 899a58 12307->12308 11843 8987b2 11844 8987b8 GetFileAttributesA 11843->11844 11845 8987b6 11843->11845 11846 8987c4 11844->11846 11845->11844 12461 89a9f4 12472 899230 12461->12472 12463 89aa03 shared_ptr 12464 895c10 6 API calls 12463->12464 12470 89aab3 shared_ptr 12463->12470 12465 89aa65 12464->12465 12466 895c10 6 API calls 12465->12466 12467 89aa8d 12466->12467 12468 895c10 6 API calls 12467->12468 12468->12470 12471 89ad3c shared_ptr __floor_pentium4 12470->12471 12482 8c8ab6 12470->12482 12475 899284 shared_ptr 12472->12475 12473 895c10 6 API calls 12473->12475 12474 899543 shared_ptr __floor_pentium4 12474->12463 12475->12473 12477 89944f shared_ptr 12475->12477 12476 89979f shared_ptr 12479 8998b5 shared_ptr __floor_pentium4 12476->12479 12480 895c10 6 API calls 12476->12480 12477->12474 12477->12476 12478 895c10 6 API calls 12477->12478 12478->12477 12479->12463 12481 899927 shared_ptr __floor_pentium4 12480->12481 12481->12463 12483 8c8ad1 12482->12483 12484 8c8868 4 API calls 12483->12484 12485 8c8adb 12484->12485 12485->12470 12207 894276 12208 892410 5 API calls 12207->12208 12209 89427f 12208->12209

                                                                                                                          Executed Functions

                                                                                                                          Function 008C652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ExitProcess.KERNEL32(?,?,008C652A,?,?,?,?,?,008C7661), ref: 008C6567
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: ExitProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 621844428-0
                                                                                                                          • Opcode ID: 3ac57badd04ca98630faf08b10a38e774abdb6c21553c8503f3bbb0aeb5e31c7
                                                                                                                          • Instruction ID: a76597b3044ed1a38003de7e01484e2c8199454330e0a7ecd547baaaf8fa6f63
                                                                                                                          • Opcode Fuzzy Hash: 3ac57badd04ca98630faf08b10a38e774abdb6c21553c8503f3bbb0aeb5e31c7
                                                                                                                          • Instruction Fuzzy Hash: 71E08C30140648AFCF35BB28E86DE9C3B79FB61745F200828F81886226DB35DE92C681
                                                                                                                          Function 050D026C Relevance: .1, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2254b5a295aa256281da9730968f162edfab3bcbbc2596ac64ea69b98220ec98
                                                                                                                          • Instruction ID: 48ef6d7e89459cec319e40bc96634e2bdca0e6962ec3c8eff57a6b2d0a186662
                                                                                                                          • Opcode Fuzzy Hash: 2254b5a295aa256281da9730968f162edfab3bcbbc2596ac64ea69b98220ec98
                                                                                                                          • Instruction Fuzzy Hash: 78011AFB549310BE7151C1953B68ABFA7AEE5CA630B31846BF80BC6106F2945E492231
                                                                                                                          Function 00895C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                                                                                                          • API String ID: 0-3963862150
                                                                                                                          • Opcode ID: db5d35fb8917bdec4e09d8120909bdd4dc1aa9ff82f9b881e052f4d1c97bebea
                                                                                                                          • Instruction ID: 61d5b626e5cc8511e887cfd7169561ef536bb2ffba9aae1df5d950bc7116c6d6
                                                                                                                          • Opcode Fuzzy Hash: db5d35fb8917bdec4e09d8120909bdd4dc1aa9ff82f9b881e052f4d1c97bebea
                                                                                                                          • Instruction Fuzzy Hash: 39F1E070A0024C9BEF24DF68CC84BDEBBB9FB45304F5442A9F519E7281DB749A84CB95
                                                                                                                          Function 00899BA5 Relevance: 3.1, APIs: 2, Instructions: 140sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 219 899ba5-899d91 call 8a7a00 call 895c10 call 898b30 call 8a8220
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 7b425a62790cd4a2b755fd55a8d736e7a793c9a15619429b070728dba5364ebc
                                                                                                                          • Instruction ID: a4884088d6b0a6f62eccfd8315035b2aaa91c588998d4a3d49706d12b7013e23
                                                                                                                          • Opcode Fuzzy Hash: 7b425a62790cd4a2b755fd55a8d736e7a793c9a15619429b070728dba5364ebc
                                                                                                                          • Instruction Fuzzy Hash: CD3115317042448BEF08EB7CDD897ADBB66FB92324F28821CE455D77D5C77989808692
                                                                                                                          Function 00899F44 Relevance: 3.1, APIs: 2, Instructions: 137sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 241 899f44-899f64 245 899f92-899fae 241->245 246 899f66-899f72 241->246 249 899fdc-899ffb 245->249 250 899fb0-899fbc 245->250 247 899f88-899f8f call 8ad663 246->247 248 899f74-899f82 246->248 247->245 248->247 253 89a92b 248->253 251 89a029-89a916 call 8a80c0 249->251 252 899ffd-89a009 249->252 255 899fbe-899fcc 250->255 256 899fd2-899fd9 call 8ad663 250->256 257 89a00b-89a019 252->257 258 89a01f-89a026 call 8ad663 252->258 260 89a953-89a994 Sleep CreateMutexA 253->260 261 89a92b call 8c6c6a 253->261 255->253 255->256 256->249 257->253 257->258 258->251 271 89a9a7-89a9a8 260->271 272 89a996-89a998 260->272 261->260 272->271 273 89a99a-89a9a5 272->273 273->271
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 1dca0bd81706aa83bfcb20cdb5e7260ef0a997ff91ceee1838714c7f6d6fe794
                                                                                                                          • Instruction ID: 7b4415665c282db9cfd6e3b3e078a4fc54b6adfa83170970ab8fc373f080b6ad
                                                                                                                          • Opcode Fuzzy Hash: 1dca0bd81706aa83bfcb20cdb5e7260ef0a997ff91ceee1838714c7f6d6fe794
                                                                                                                          • Instruction Fuzzy Hash: 813115317002448BEF0CAB7CD889BADFB66FB96320F288618E455D76D5CB3589808792
                                                                                                                          Function 0089A079 Relevance: 3.1, APIs: 2, Instructions: 136sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 275 89a079-89a099 279 89a09b-89a0a7 275->279 280 89a0c7-89a0e3 275->280 281 89a0a9-89a0b7 279->281 282 89a0bd-89a0c4 call 8ad663 279->282 283 89a111-89a130 280->283 284 89a0e5-89a0f1 280->284 281->282 287 89a930 281->287 282->280 285 89a15e-89a916 call 8a80c0 283->285 286 89a132-89a13e 283->286 289 89a0f3-89a101 284->289 290 89a107-89a10e call 8ad663 284->290 292 89a140-89a14e 286->292 293 89a154-89a15b call 8ad663 286->293 296 89a953-89a994 Sleep CreateMutexA 287->296 297 89a930 call 8c6c6a 287->297 289->287 289->290 290->283 292->287 292->293 293->285 305 89a9a7-89a9a8 296->305 306 89a996-89a998 296->306 297->296 306->305 307 89a99a-89a9a5 306->307 307->305
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 42fb410ac8e10292148e3d7c25a8ab8708eca564496d88dac9d69afa16856344
                                                                                                                          • Instruction ID: 5c349a373bd93a6f3cc86880935bf7587d087c87f3b3a79a5180808de9a7cb60
                                                                                                                          • Opcode Fuzzy Hash: 42fb410ac8e10292148e3d7c25a8ab8708eca564496d88dac9d69afa16856344
                                                                                                                          • Instruction Fuzzy Hash: 9D3129317001449BEF0CEB78DD89B6DBB66FB91320F288218E425D77D5C77699808692
                                                                                                                          Function 0089A1AE Relevance: 3.1, APIs: 2, Instructions: 135sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 309 89a1ae-89a1ce 313 89a1fc-89a218 309->313 314 89a1d0-89a1dc 309->314 315 89a21a-89a226 313->315 316 89a246-89a265 313->316 317 89a1de-89a1ec 314->317 318 89a1f2-89a1f9 call 8ad663 314->318 319 89a228-89a236 315->319 320 89a23c-89a243 call 8ad663 315->320 321 89a293-89a916 call 8a80c0 316->321 322 89a267-89a273 316->322 317->318 323 89a935 317->323 318->313 319->320 319->323 320->316 328 89a289-89a290 call 8ad663 322->328 329 89a275-89a283 322->329 325 89a953-89a994 Sleep CreateMutexA 323->325 326 89a935 call 8c6c6a 323->326 339 89a9a7-89a9a8 325->339 340 89a996-89a998 325->340 326->325 328->321 329->323 329->328 340->339 341 89a99a-89a9a5 340->341 341->339
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 04ff7355c28266be725bae5f466047a99da9d1ece95aeefe18f6f0e35bfd7911
                                                                                                                          • Instruction ID: 43c0997dfe52ea2aac21ef25c7b1e2ce8da381e85281d2816f1ca52e6e15b69c
                                                                                                                          • Opcode Fuzzy Hash: 04ff7355c28266be725bae5f466047a99da9d1ece95aeefe18f6f0e35bfd7911
                                                                                                                          • Instruction Fuzzy Hash: 4A312A317001449BEF0CEBBCDC89B6DB762FB96320F284218E415D76D5D77589808792
                                                                                                                          Function 0089A418 Relevance: 3.1, APIs: 2, Instructions: 133sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 343 89a418-89a438 347 89a43a-89a446 343->347 348 89a466-89a482 343->348 351 89a448-89a456 347->351 352 89a45c-89a463 call 8ad663 347->352 349 89a4b0-89a4cf 348->349 350 89a484-89a490 348->350 355 89a4fd-89a916 call 8a80c0 349->355 356 89a4d1-89a4dd 349->356 353 89a492-89a4a0 350->353 354 89a4a6-89a4ad call 8ad663 350->354 351->352 357 89a93f-89a949 call 8c6c6a * 2 351->357 352->348 353->354 353->357 354->349 360 89a4df-89a4ed 356->360 361 89a4f3-89a4fa call 8ad663 356->361 374 89a94e-89a994 call 8c6c6a Sleep CreateMutexA 357->374 375 89a949 call 8c6c6a 357->375 360->357 360->361 361->355 379 89a9a7-89a9a8 374->379 380 89a996-89a998 374->380 375->374 380->379 381 89a99a-89a9a5 380->381 381->379
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 3cf9a00618ee927ac34eef56c19cb6c50342afbe5f0252b01a517f116a52d266
                                                                                                                          • Instruction ID: a3ef3ca291e3ea269ad7c17eacffa656dffde98c7c70306c07609f7443fd6fae
                                                                                                                          • Opcode Fuzzy Hash: 3cf9a00618ee927ac34eef56c19cb6c50342afbe5f0252b01a517f116a52d266
                                                                                                                          • Instruction Fuzzy Hash: F03129317001449BEF0CEB7CDD8DB6DB765FB92320F288218E415DB6D5DB7589808697
                                                                                                                          Function 0089A54D Relevance: 3.1, APIs: 2, Instructions: 132sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 383 89a54d-89a56d 387 89a59b-89a5b7 383->387 388 89a56f-89a57b 383->388 389 89a5b9-89a5c5 387->389 390 89a5e5-89a604 387->390 391 89a57d-89a58b 388->391 392 89a591-89a598 call 8ad663 388->392 395 89a5db-89a5e2 call 8ad663 389->395 396 89a5c7-89a5d5 389->396 397 89a632-89a916 call 8a80c0 390->397 398 89a606-89a612 390->398 391->392 393 89a944-89a949 call 8c6c6a 391->393 392->387 410 89a94e-89a994 call 8c6c6a Sleep CreateMutexA 393->410 411 89a949 call 8c6c6a 393->411 395->390 396->393 396->395 403 89a628-89a62f call 8ad663 398->403 404 89a614-89a622 398->404 403->397 404->393 404->403 417 89a9a7-89a9a8 410->417 418 89a996-89a998 410->418 411->410 418->417 419 89a99a-89a9a5 418->419 419->417
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 4b622ce6725cc24d636e406c4e2b333e2390da0b97836368e03f7633a7c0a5d3
                                                                                                                          • Instruction ID: 151eea31897af785aebe767c46d27c5cc2858561c5c8fbbc0c20524117e6c0bc
                                                                                                                          • Opcode Fuzzy Hash: 4b622ce6725cc24d636e406c4e2b333e2390da0b97836368e03f7633a7c0a5d3
                                                                                                                          • Instruction Fuzzy Hash: 363115317001448BEF0CEBB8D889B6DBB66FB95324F288218E415DB6D5CB3589808692
                                                                                                                          Function 0089A682 Relevance: 3.1, APIs: 2, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 421 89a682-89a6a2 425 89a6d0-89a6ec 421->425 426 89a6a4-89a6b0 421->426 429 89a71a-89a739 425->429 430 89a6ee-89a6fa 425->430 427 89a6b2-89a6c0 426->427 428 89a6c6-89a6cd call 8ad663 426->428 427->428 431 89a949 427->431 428->425 435 89a73b-89a747 429->435 436 89a767-89a916 call 8a80c0 429->436 433 89a6fc-89a70a 430->433 434 89a710-89a717 call 8ad663 430->434 439 89a94e-89a994 call 8c6c6a Sleep CreateMutexA 431->439 440 89a949 call 8c6c6a 431->440 433->431 433->434 434->429 437 89a749-89a757 435->437 438 89a75d-89a764 call 8ad663 435->438 437->431 437->438 438->436 453 89a9a7-89a9a8 439->453 454 89a996-89a998 439->454 440->439 454->453 455 89a99a-89a9a5 454->455 455->453
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 5b296370ff78c0c9200dd51ad3e01d236ebf0035dad341d730165531b8639c99
                                                                                                                          • Instruction ID: 611d9bbed42209a770ac9ddc73f8c1a43eef7dda9a3e2d0b5c46fc03c165e70a
                                                                                                                          • Opcode Fuzzy Hash: 5b296370ff78c0c9200dd51ad3e01d236ebf0035dad341d730165531b8639c99
                                                                                                                          • Instruction Fuzzy Hash: 3E3128317042449BEF0CEB7CDC8AB6DBBB6FB91320F288218E415D76D5C77589808693
                                                                                                                          Function 00899ADC Relevance: 3.1, APIs: 2, Instructions: 107sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 457 899adc-899ae8 458 899aea-899af8 457->458 459 899afe-899d91 call 8ad663 call 8a7a00 call 895c10 call 898b30 call 8a8220 call 8a7a00 call 895c10 call 898b30 call 8a8220 457->459 458->459 460 89a917 458->460 462 89a953-89a994 Sleep CreateMutexA 460->462 463 89a917 call 8c6c6a 460->463 469 89a9a7-89a9a8 462->469 470 89a996-89a998 462->470 463->462 470->469 472 89a99a-89a9a5 470->472 472->469
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 7c9bd4bd01d2583fee0b2bfe6dc607b9d0d3bd053746c810073b7ae56251d32f
                                                                                                                          • Instruction ID: bf023b623753cf3dc9a73ba3c0f78167c8c28e95119db5cde076eced04c2cfb5
                                                                                                                          • Opcode Fuzzy Hash: 7c9bd4bd01d2583fee0b2bfe6dc607b9d0d3bd053746c810073b7ae56251d32f
                                                                                                                          • Instruction Fuzzy Hash: B8214232704244DBEF1CAB6CEC89B6DB766FBD1320F28421CE429C76D5DB7989808652
                                                                                                                          Function 0089A856 Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 525 89a856-89a86e 526 89a89c-89a89e 525->526 527 89a870-89a87c 525->527 530 89a8a9-89a8b1 call 897d30 526->530 531 89a8a0-89a8a7 526->531 528 89a87e-89a88c 527->528 529 89a892-89a899 call 8ad663 527->529 528->529 533 89a94e-89a987 call 8c6c6a Sleep CreateMutexA 528->533 529->526 540 89a8b3-89a8bb call 897d30 530->540 541 89a8e4-89a8e6 530->541 535 89a8eb-89a916 call 8a80c0 531->535 546 89a98e-89a994 533->546 540->541 547 89a8bd-89a8c5 call 897d30 540->547 541->535 548 89a9a7-89a9a8 546->548 549 89a996-89a998 546->549 547->541 553 89a8c7-89a8cf call 897d30 547->553 549->548 551 89a99a-89a9a5 549->551 551->548 553->541 557 89a8d1-89a8d9 call 897d30 553->557 557->541 560 89a8db-89a8e2 557->560 560->535
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 95a8ee347b3e14b34fc4f9afd1eb6acee50a8450d7b0714027def950f798a217
                                                                                                                          • Instruction ID: 167110897b7979f45b8e6824a3fd177a0337ae7045537f7f8f32925c191bd505
                                                                                                                          • Opcode Fuzzy Hash: 95a8ee347b3e14b34fc4f9afd1eb6acee50a8450d7b0714027def950f798a217
                                                                                                                          • Instruction Fuzzy Hash: 02212831355205DAFF2CB76C989AB7DB752FF81314F2C4826E508E62D5CA7A898081D3
                                                                                                                          Function 0089A34F Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 502 89a34f-89a35b 503 89a35d-89a36b 502->503 504 89a371-89a39a call 8ad663 502->504 503->504 505 89a93a 503->505 510 89a3c8-89a916 call 8a80c0 504->510 511 89a39c-89a3a8 504->511 507 89a953-89a994 Sleep CreateMutexA 505->507 508 89a93a call 8c6c6a 505->508 517 89a9a7-89a9a8 507->517 518 89a996-89a998 507->518 508->507 514 89a3aa-89a3b8 511->514 515 89a3be-89a3c5 call 8ad663 511->515 514->505 514->515 515->510 518->517 521 89a99a-89a9a5 518->521 521->517
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0089A963
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,008F3254), ref: 0089A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: f9db9f07936fbf9f599ad41439c545535dc93aa6a2bbbe4ded98a15a0a5dca30
                                                                                                                          • Instruction ID: 5a4aa7125c5d5354bdd6294f7529d5bacb9a1ad2bdf636093bf257dd140c9269
                                                                                                                          • Opcode Fuzzy Hash: f9db9f07936fbf9f599ad41439c545535dc93aa6a2bbbe4ded98a15a0a5dca30
                                                                                                                          • Instruction Fuzzy Hash: DE213A327042449BEF1CAB6CEC8976DBB65FBD1321F284219E415D77D4CB7699808293
                                                                                                                          Function 00897D30 Relevance: 1.9, APIs: 1, Instructions: 426COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 561 897d30-897db2 call 8c40f0 565 897db8-897de0 call 8a7a00 call 895c10 561->565 566 898356-898373 call 8acff1 561->566 573 897de2 565->573 574 897de4-897e06 call 8a7a00 call 895c10 565->574 573->574 579 897e08 574->579 580 897e0a-897e23 574->580 579->580 583 897e25-897e34 580->583 584 897e54-897e7f 580->584 585 897e4a-897e51 call 8ad663 583->585 586 897e36-897e44 583->586 587 897e81-897e90 584->587 588 897eb0-897ed1 584->588 585->584 586->585 591 898374 call 8c6c6a 586->591 593 897e92-897ea0 587->593 594 897ea6-897ead call 8ad663 587->594 589 897ed3-897ed5 GetNativeSystemInfo 588->589 590 897ed7-897edc 588->590 595 897edd-897ee6 589->595 590->595 602 898379-89837f call 8c6c6a 591->602 593->591 593->594 594->588 600 897ee8-897eef 595->600 601 897f04-897f07 595->601 604 898351 600->604 605 897ef5-897eff 600->605 606 897f0d-897f16 601->606 607 8982f7-8982fa 601->607 604->566 609 89834c 605->609 610 897f29-897f2c 606->610 611 897f18-897f24 606->611 607->604 612 8982fc-898305 607->612 609->604 614 897f32-897f39 610->614 615 8982d4-8982d6 610->615 611->609 616 89832c-89832f 612->616 617 898307-89830b 612->617 622 898019-8982bd call 8a7a00 call 895c10 call 8a7a00 call 895c10 call 895d50 call 8a7a00 call 895c10 call 895730 call 8a7a00 call 895c10 call 8a7a00 call 895c10 call 895d50 call 8a7a00 call 895c10 call 895730 call 8a7a00 call 895c10 call 8a7a00 call 895c10 call 895d50 call 8a7a00 call 895c10 call 895730 call 8a7a00 call 895c10 call 8a7a00 call 895c10 call 895d50 call 8a7a00 call 895c10 call 895730 614->622 623 897f3f-897f9b call 8a7a00 call 895c10 call 8a7a00 call 895c10 call 895d50 614->623 620 8982d8-8982e2 615->620 621 8982e4-8982e7 615->621 618 89833d-898349 616->618 619 898331-89833b 616->619 624 89830d-898312 617->624 625 898320-89832a 617->625 618->609 619->604 620->609 621->604 627 8982e9-8982f5 621->627 660 8982c3-8982cc 622->660 646 897fa0-897fa7 623->646 624->625 629 898314-89831e 624->629 625->604 627->609 629->604 648 897fa9 646->648 649 897fab-897fcb call 8c8bbe 646->649 648->649 656 897fcd-897fdc 649->656 657 898002-898004 649->657 661 897fde-897fec 656->661 662 897ff2-897fff call 8ad663 656->662 659 89800a-898014 657->659 657->660 659->660 660->607 664 8982ce 660->664 661->602 661->662 662->657 664->615
                                                                                                                          APIs
                                                                                                                          • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00897ED3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1721193555-0
                                                                                                                          • Opcode ID: b5ec9e962f4e43aeb55855532c11d72f646c37e3f0eb8eb5bf9132b857a9812f
                                                                                                                          • Instruction ID: cc8bb59780eb8ebda0ff11b12c2ea465522e51de7358a17002f059143deadbee
                                                                                                                          • Opcode Fuzzy Hash: b5ec9e962f4e43aeb55855532c11d72f646c37e3f0eb8eb5bf9132b857a9812f
                                                                                                                          • Instruction Fuzzy Hash: BAE1D270F00654ABDF15BB388C0A7AD7A61FB42724F984298E415E73C2DB758E8187C3
                                                                                                                          Function 008CD82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 860 8cd82f-8cd83a 861 8cd83c-8cd846 860->861 862 8cd848-8cd84e 860->862 861->862 863 8cd87c-8cd887 call 8c75f6 861->863 864 8cd867-8cd878 RtlAllocateHeap 862->864 865 8cd850-8cd851 862->865 870 8cd889-8cd88b 863->870 866 8cd87a 864->866 867 8cd853-8cd85a call 8c9dc0 864->867 865->864 866->870 867->863 873 8cd85c-8cd865 call 8c8e36 867->873 873->863 873->864
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,008CA813,00000001,00000364,00000006,000000FF,?,008CEE3F,?,00000004,00000000,?,?), ref: 008CD871
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 1e2ff1049349296035d1338583deeffb42b369a39e3bfc615944aeb710e569fa
                                                                                                                          • Instruction ID: 9c07ce1f19eccc11f40492054147c2e9bb9a2d745b40c180fdb691c568ced7d0
                                                                                                                          • Opcode Fuzzy Hash: 1e2ff1049349296035d1338583deeffb42b369a39e3bfc615944aeb710e569fa
                                                                                                                          • Instruction Fuzzy Hash: D4F0B431501328A6EB213A769C01F5B7778FB45370B168939BD04EB181DA30DC0185E1
                                                                                                                          Function 008987B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesA.KERNEL32(?,0089DA1D,?,?,?,?), ref: 008987B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesFile
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3188754299-0
                                                                                                                          • Opcode ID: e08f800b69f97634731913770160e7479db5d4e67d4625d6099492b6b5fe18bb
                                                                                                                          • Instruction ID: bb20a351d0fa82a730dc76e66f4d9d2da1be9bd150946443590ad62ae2b13b7b
                                                                                                                          • Opcode Fuzzy Hash: e08f800b69f97634731913770160e7479db5d4e67d4625d6099492b6b5fe18bb
                                                                                                                          • Instruction Fuzzy Hash: 1BC08C28011601A9ED1C65B848998AD3349E9877B43FC5FC4E470CF2E1CA3958079210
                                                                                                                          Function 008987B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesA.KERNEL32(?,0089DA1D,?,?,?,?), ref: 008987B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesFile
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3188754299-0
                                                                                                                          • Opcode ID: 05201e6bf1e545bd14e55740fff9a7fe4f42ce21fdb779fdf594292355c9e9a0
                                                                                                                          • Instruction ID: 8dd12d5d4a2b87c4cbccdadcee980e0b947adc45811853c7e282c784bf86ba60
                                                                                                                          • Opcode Fuzzy Hash: 05201e6bf1e545bd14e55740fff9a7fe4f42ce21fdb779fdf594292355c9e9a0
                                                                                                                          • Instruction Fuzzy Hash: 27C08034011101E5ED1C6578545847D3305F9437243FC4F88D431CF2E1CB76C403C650
                                                                                                                          Function 0089B1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0089B3C7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2538663250-0
                                                                                                                          • Opcode ID: cdacf06f3786ac1fbfac3169950cd11ef28980b910fe59a68433c180ce4840b2
                                                                                                                          • Instruction ID: 00399ec20990ad18283a88e24e3af9152577c3b7ceb5ffbe6baf5e2d2110d193
                                                                                                                          • Opcode Fuzzy Hash: cdacf06f3786ac1fbfac3169950cd11ef28980b910fe59a68433c180ce4840b2
                                                                                                                          • Instruction Fuzzy Hash: 90B1F270A10268DFEB29DF18C994BDEB7B5FF15304F5081D8E80AA7281D775AA84CF91
                                                                                                                          Function 050D02C0 Relevance: .1, Instructions: 86COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 51bb97e723b2242f2561a41bf39ff6da00f2f673fbd42a4ec08b3e9a32da8b08
                                                                                                                          • Instruction ID: 46be1409eff1f21fd8c2f17c906300094b3119e28c992c3fc4b2c2e6568a051a
                                                                                                                          • Opcode Fuzzy Hash: 51bb97e723b2242f2561a41bf39ff6da00f2f673fbd42a4ec08b3e9a32da8b08
                                                                                                                          • Instruction Fuzzy Hash: 81019EEB5493107EB142C0853B28AFFA7AEE0D6A30B31847BF80BC6102F1859E4E1231
                                                                                                                          Function 050D0271 Relevance: .1, Instructions: 81COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 31fb1c41835980164cc78c3a5980c8a671da87db477ca9a9dcb17fde86eaa6cc
                                                                                                                          • Instruction ID: a077f5f5d92414a33ef1ae5a72ca77bfc514184ce8c7ef97fd43eedb88d9cf1b
                                                                                                                          • Opcode Fuzzy Hash: 31fb1c41835980164cc78c3a5980c8a671da87db477ca9a9dcb17fde86eaa6cc
                                                                                                                          • Instruction Fuzzy Hash: AA014CEB54D210BEB151C1853B68ABFA7AEE5C6730B31846BF80AC6106E2954E4E1231
                                                                                                                          Function 050D0283 Relevance: .1, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c7075bccd7f1f8b57d84fe8751288721d6e17656939eadca7ba38e7fcecc0abf
                                                                                                                          • Instruction ID: 89ac02e3bb5150663a3443c251c50d8a4266678deed55e4b4e57b938a2d9becc
                                                                                                                          • Opcode Fuzzy Hash: c7075bccd7f1f8b57d84fe8751288721d6e17656939eadca7ba38e7fcecc0abf
                                                                                                                          • Instruction Fuzzy Hash: C5012CEB54D2107E7151C1953B68AFFA76EE0D6630731847BF80BC6506F2948E4E1231
                                                                                                                          Function 050D02B0 Relevance: .1, Instructions: 57COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: bd2ef9265900561f0d160e0f9fb0ca3726744174e27ac37e0089340ce16bc7c7
                                                                                                                          • Instruction ID: 5a9f7a456febcc13540e54a2472088cd45050901e439ab813c51db8b23843a48
                                                                                                                          • Opcode Fuzzy Hash: bd2ef9265900561f0d160e0f9fb0ca3726744174e27ac37e0089340ce16bc7c7
                                                                                                                          • Instruction Fuzzy Hash: 30F0F0BB04C200AEB151C1923738ABEEBAEE0CA3307318477F80BC5002F1944A4E5231
                                                                                                                          Function 050D0300 Relevance: .0, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 76ae577bc4d94c282db7fdd5ec37f70a49181d6dd9fb74eb638dec178e9745b9
                                                                                                                          • Instruction ID: 8864b7e7e6302fa4f58685edc54a8cb457c342ec578c30aaad2a0852f62150bd
                                                                                                                          • Opcode Fuzzy Hash: 76ae577bc4d94c282db7fdd5ec37f70a49181d6dd9fb74eb638dec178e9745b9
                                                                                                                          • Instruction Fuzzy Hash: 39E065B75483156EA2B1C5A2376C6BEF3EEF5D6730B70843AF846C0401F2991A095231
                                                                                                                          Function 050D02E8 Relevance: .0, Instructions: 33COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1728794981.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3444ccfd9f4f7606b56f55b21810cdb6b7635c4c4c3535918a57691817a6ac66
                                                                                                                          • Instruction ID: 800a871b4aed1c7e7210317f63b81d4c82dd52c8558def6b235da3a5780b3fa1
                                                                                                                          • Opcode Fuzzy Hash: 3444ccfd9f4f7606b56f55b21810cdb6b7635c4c4c3535918a57691817a6ac66
                                                                                                                          • Instruction Fuzzy Hash: D9E08CAB14C2107DA0A1C1A13A38ABEE76EF0C6B307708023F88BC0401F2894A1C5235

                                                                                                                          Non-executed Functions

                                                                                                                          Function 008D31A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: __floor_pentium4
                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                          • Opcode ID: 14107688c93b6957dff1fb33de4a3247070143d87e7c97665b2e48549de7f5e4
                                                                                                                          • Instruction ID: 6eee9cb45b901c57d1a8ade54fe102c1935290c45e9bd0f013ca28dafb11e5bd
                                                                                                                          • Opcode Fuzzy Hash: 14107688c93b6957dff1fb33de4a3247070143d87e7c97665b2e48549de7f5e4
                                                                                                                          • Instruction Fuzzy Hash: D7C21771E086288FDB65CE28DD407AAB7B5FB48315F1442EAD84DE7340E779AE818F41
                                                                                                                          Function 0089E0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • recv.WS2_32(?,?,00000004,00000000), ref: 0089E10B
                                                                                                                          • recv.WS2_32(?,?,00000008,00000000), ref: 0089E140
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: recv
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1507349165-0
                                                                                                                          • Opcode ID: cb4e76a82819ebe0e017dcd079eda8c4d815d951cb301e940b6d720fcbe736db
                                                                                                                          • Instruction ID: 67f4f57e9e5b224658ddbd48bf31c3ff15d1333ba9173de729f56b0853756736
                                                                                                                          • Opcode Fuzzy Hash: cb4e76a82819ebe0e017dcd079eda8c4d815d951cb301e940b6d720fcbe736db
                                                                                                                          • Instruction Fuzzy Hash: DB319371A002489BDB20DB7CDC85FBB7BB8FB0D724F140625E515EB391DA75A845CBA0
                                                                                                                          Function 008D2D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                                                                                                                          • Instruction ID: b756086d692f5f4032b512bbd0b72e2626aef4b37692515cb599e81101abec93
                                                                                                                          • Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                                                                                                                          • Instruction Fuzzy Hash: 51F13E71E012199FDF14CFA9C8806ADB7B1FF58314F25826AE819EB345D731AE01CB91
                                                                                                                          Function 008ACBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTimePreciseAsFileTime.KERNEL32(?,008ACF52,?,00000003,00000003,?,008ACF87,?,?,?,00000003,00000003,?,008AC4FD,00892FB9,00000001), ref: 008ACC03
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$FilePreciseSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1802150274-0
                                                                                                                          • Opcode ID: 07d46d6543721533da2587551568cacd9ffc3b8b9419b63b4498ad1332e5dcae
                                                                                                                          • Instruction ID: fb5d454917328e4d4ead7b6d25362f79ea9ee0f14fb61a20a6f01278b6d1a98e
                                                                                                                          • Opcode Fuzzy Hash: 07d46d6543721533da2587551568cacd9ffc3b8b9419b63b4498ad1332e5dcae
                                                                                                                          • Instruction Fuzzy Hash: 4ED0233150143C9345013754EC048BCB788FB017243010111DE0857920C6905C404FD5
                                                                                                                          Function 008C7F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 0-4108050209
                                                                                                                          • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                          • Instruction ID: 2add45bacc4d54e2776c789a3d98a62c3a3ad45c7db8dba9cd0de82b0f217500
                                                                                                                          • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                          • Instruction Fuzzy Hash: AE514A30298A48DAEB384A2C88D5FBE67BAFB12304F14451EE442D7691CE72DD498A52
                                                                                                                          Function 00894DE0 Relevance: .7, Instructions: 701COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 67383ad9a4ac70506cafffe077fd5ce8a29f9153280dfceb42a72b561c4aef2e
                                                                                                                          • Instruction ID: 703768b60813d0a58d027828e3bae0a1754f6a205a3a7241fd72d2ef579814ed
                                                                                                                          • Opcode Fuzzy Hash: 67383ad9a4ac70506cafffe077fd5ce8a29f9153280dfceb42a72b561c4aef2e
                                                                                                                          • Instruction Fuzzy Hash: 54223DB3F515144BDB4CCA9DDCA27EDB2E3BFD8218B0E803DA40AE3345EA7999158644
                                                                                                                          Function 008D7049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4739b6b41a1dd5919138d73da812ce03554af38f6ad4b306a7c005363a3ca3ed
                                                                                                                          • Instruction ID: 00212e56afa65f5d9dc05ef0ca4d3ebbc126c380b6063b60ef34c24371e5aea9
                                                                                                                          • Opcode Fuzzy Hash: 4739b6b41a1dd5919138d73da812ce03554af38f6ad4b306a7c005363a3ca3ed
                                                                                                                          • Instruction Fuzzy Hash: EBB14B31614608DFDB19CF28C486B657BA0FF45364F25875AE89ACF3A1D335E982CB40
                                                                                                                          Function 00894B30 Relevance: .2, Instructions: 230COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 68092f81844f1e366ba1e034c6c19459f9c3fb2d457b40048a4d1136020dd74e
                                                                                                                          • Instruction ID: 4c4a7c7ea49c2d62afff44a15727cdf02cf4b4912130132ca266e57ff55422e4
                                                                                                                          • Opcode Fuzzy Hash: 68092f81844f1e366ba1e034c6c19459f9c3fb2d457b40048a4d1136020dd74e
                                                                                                                          • Instruction Fuzzy Hash: A6811F74E012498FEB15DFA8D890BFEBBB1FB1A304F180269D850E7752C3319946CBA0
                                                                                                                          Function 008D78BB Relevance: .1, Instructions: 104COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5c165bb4898ec21606cfe253664aa9a57b010a773d1918dcca26ee7e184a59a6
                                                                                                                          • Instruction ID: 287c6bd3b6e1334e695dc396262b59293a7ad24a8ab92774f81a97c46b5cee02
                                                                                                                          • Opcode Fuzzy Hash: 5c165bb4898ec21606cfe253664aa9a57b010a773d1918dcca26ee7e184a59a6
                                                                                                                          • Instruction Fuzzy Hash: 7921D673F2043907770CC47E8C5227DB6E1C78C500745423AE8A6EA2C1D968D917E2E4
                                                                                                                          Function 008D779B Relevance: .1, Instructions: 81COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8df920a2cc455019b6f053e1bd534ed161e05e8bae5963cb741222545062b4e2
                                                                                                                          • Instruction ID: 3e45142ada707467fe1293aedc414fab18fb9506fcbd3346b1f059e54e7e54fe
                                                                                                                          • Opcode Fuzzy Hash: 8df920a2cc455019b6f053e1bd534ed161e05e8bae5963cb741222545062b4e2
                                                                                                                          • Instruction Fuzzy Hash: A8118A23F30C295B675C817D8C1727A96D2EBD825471F533AD826E7384F994DE23D290
                                                                                                                          Function 008D8860 Relevance: .1, Instructions: 76COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction ID: e2b17b002e31ad117c7d00adeb81b202e68dc4755feef4607f46877942526a85
                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction Fuzzy Hash: 01113D77600186C7E604863EC8F45B7E795FBC53217AD437BD082CB758DE22E945B600
                                                                                                                          Function 008CA302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                          • Instruction ID: f140130f8144c52c29372640c40a72bf7cff674618abbd3170beadf48b5077f4
                                                                                                                          • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                          • Instruction Fuzzy Hash: 5DE04632921268EBCB18DBAC8905E8AB2BCFB49B04F65019AB501D3251C270DE00C7D1
                                                                                                                          Function 00892EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 57040152-0
                                                                                                                          • Opcode ID: 6ca599208dbca3bdc9248e7a3e7c10177743b2ec6e3365f9333b6cd1e02def57
                                                                                                                          • Instruction ID: 4e469b06d3f5aa5f755f1580ee3ded66fe2ed84ea57d155e8327a36a9c9bc635
                                                                                                                          • Opcode Fuzzy Hash: 6ca599208dbca3bdc9248e7a3e7c10177743b2ec6e3365f9333b6cd1e02def57
                                                                                                                          • Instruction Fuzzy Hash: 45A1D270A01605EFEF21EF68C944B6AB7B8FF15314F088129E816D7651EB35EA04CBD2
                                                                                                                          Function 008CCBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: _strrchr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3213747228-0
                                                                                                                          • Opcode ID: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
                                                                                                                          • Instruction ID: 3069cfcc83a000d5965c147e98916c6ec19df9e8b4fff4a50ddefcfb531e7577
                                                                                                                          • Opcode Fuzzy Hash: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
                                                                                                                          • Instruction Fuzzy Hash: C5B112329042899FDB11CF68C881FAEBBB5FF46350F1481AEE959EB241D634CD42CB61
                                                                                                                          Function 008ABB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1724439496.0000000000891000.00000040.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1724367497.0000000000890000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724439496.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724515632.00000000008F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724536596.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724568020.0000000000907000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724693206.0000000000A58000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724764640.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1724836897.0000000000A79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725007845.0000000000A7C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725093138.0000000000A7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725245847.0000000000A81000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725327157.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725430406.0000000000A8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725868507.0000000000A8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725908264.0000000000A8C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725929841.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725962886.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1725988512.0000000000AA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726014488.0000000000AA9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726046104.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726080176.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726109432.0000000000ADE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726135378.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726157159.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726182152.0000000000AE9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726208020.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726234481.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726255705.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726277158.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726298898.0000000000B08000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726318896.0000000000B09000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726342902.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726364390.0000000000B16000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726385781.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726411185.0000000000B35000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726433096.0000000000B36000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726459086.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726480828.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726539079.0000000000B83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726560089.0000000000B84000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726584798.0000000000B88000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726606620.0000000000B8A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726630021.0000000000B99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1726649759.0000000000B9A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_890000_file.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 531285432-0
                                                                                                                          • Opcode ID: d6b2ce10746c6b3bfc2460c76763227f1d47aeea9a680d104387b7cf22ad0782
                                                                                                                          • Instruction ID: 3094bd3952845d9b34cc0e171afd531fb37c96958872b54bb8e5342164226aac
                                                                                                                          • Opcode Fuzzy Hash: d6b2ce10746c6b3bfc2460c76763227f1d47aeea9a680d104387b7cf22ad0782
                                                                                                                          • Instruction Fuzzy Hash: 50211D71A00119AFEF00EBA8DC819BEB7B9FF49710F100419F601EB251DB749D419BA1

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:0.9%
                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                          Signature Coverage:0%
                                                                                                                          Total number of Nodes:594
                                                                                                                          Total number of Limit Nodes:4
                                                                                                                          execution_graph 9689 c020c0 9692 c1c68b 9689->9692 9691 c020cc 9695 c1c3d5 9692->9695 9694 c1c69b 9694->9691 9696 c1c3e1 9695->9696 9697 c1c3eb 9695->9697 9698 c1c3be 9696->9698 9699 c1c39e 9696->9699 9697->9694 9708 c1cd0a 9698->9708 9699->9697 9704 c1ccd5 9699->9704 9702 c1c3d0 9702->9694 9705 c1cce3 InitializeCriticalSectionEx 9704->9705 9707 c1c3b7 9704->9707 9705->9707 9707->9694 9709 c1cd1f RtlInitializeConditionVariable 9708->9709 9709->9702 9710 c02ec0 9711 c02f06 9710->9711 9715 c02f6f 9710->9715 9742 c1c6ac 9711->9742 9714 c0301e 9745 c1c26a 9714->9745 9716 c02fef 9715->9716 9721 c1c6ac GetSystemTimePreciseAsFileTime 9715->9721 9718 c03024 9719 c1c26a 4 API calls 9718->9719 9722 c02fb9 9719->9722 9720 c02f1d __Mtx_unlock 9720->9715 9720->9718 9721->9722 9723 c1c26a 4 API calls 9722->9723 9724 c02fc0 __Mtx_unlock 9722->9724 9723->9724 9725 c1c26a 4 API calls 9724->9725 9726 c02fd8 9724->9726 9725->9726 9726->9716 9727 c1c26a 4 API calls 9726->9727 9728 c0303c 9727->9728 9729 c1c6ac GetSystemTimePreciseAsFileTime 9728->9729 9739 c03080 shared_ptr __Mtx_unlock 9729->9739 9730 c0315f 9731 c1c26a 4 API calls 9730->9731 9734 c031d1 9730->9734 9741 c03193 __Mtx_unlock 9730->9741 9732 c031cb 9731->9732 9733 c1c26a 4 API calls 9732->9733 9733->9734 9735 c1c26a 4 API calls 9734->9735 9735->9741 9736 c031a7 std::invalid_argument::invalid_argument 9737 c1c26a 4 API calls 9738 c031dd 9737->9738 9739->9730 9739->9732 9739->9736 9740 c1c6ac GetSystemTimePreciseAsFileTime 9739->9740 9740->9730 9741->9736 9741->9737 9749 c1c452 9742->9749 9744 c02f12 9744->9714 9744->9720 9746 c1c292 9745->9746 9747 c1c274 9745->9747 9746->9746 9747->9746 9766 c1c297 9747->9766 9750 c1c4a8 9749->9750 9752 c1c47a std::invalid_argument::invalid_argument 9749->9752 9750->9752 9755 c1cf6b 9750->9755 9752->9744 9753 c1c4fd __Xtime_diff_to_millis2 9753->9752 9754 c1cf6b _xtime_get GetSystemTimePreciseAsFileTime 9753->9754 9754->9753 9756 c1cf7a 9755->9756 9758 c1cf87 __aulldvrm 9755->9758 9756->9758 9759 c1cf44 9756->9759 9758->9753 9762 c1cbea 9759->9762 9763 c1cc07 9762->9763 9764 c1cbfb GetSystemTimePreciseAsFileTime 9762->9764 9763->9758 9764->9763 9769 c02ae0 9766->9769 9768 c1c2ae std::_Throw_future_error 9776 c1bedf 9769->9776 9771 c02af4 __cftof 9771->9768 9779 c3a671 9771->9779 9790 c1cc31 9776->9790 9780 c3a67b __dosmaperr ___free_lconv_mon 9779->9780 9781 c36ccc 9780->9781 9782 c38bec __cftof 3 API calls 9780->9782 9784 c38bec 9781->9784 9783 c3a72d 9782->9783 9785 c38bf1 __cftof 9784->9785 9789 c38bfc __cftof 9785->9789 9794 c3d634 9785->9794 9808 c365ed 9789->9808 9791 c1cc3f InitOnceExecuteOnce 9790->9791 9793 c1bef2 9790->9793 9791->9793 9793->9771 9796 c3d640 __cftof __dosmaperr 9794->9796 9795 c3d69c __cftof __dosmaperr 9795->9789 9796->9795 9797 c3d726 9796->9797 9798 c3d81b __dosmaperr 9796->9798 9800 c3d751 __cftof 9796->9800 9797->9800 9811 c3d62b 9797->9811 9799 c365ed __cftof 3 API calls 9798->9799 9803 c3d82e 9799->9803 9800->9795 9801 c3d7a5 9800->9801 9804 c3a671 __cftof 3 API calls 9800->9804 9801->9795 9807 c3a671 __cftof 3 API calls 9801->9807 9804->9801 9806 c3d62b __cftof 3 API calls 9806->9800 9807->9795 9809 c364c7 __cftof 3 API calls 9808->9809 9810 c365fe 9809->9810 9812 c3a671 __cftof 3 API calls 9811->9812 9813 c3d630 9812->9813 9813->9806 9814 c0e0c0 recv 9815 c0e122 recv 9814->9815 9816 c0e157 recv 9815->9816 9818 c0e191 9816->9818 9817 c0e2b3 std::invalid_argument::invalid_argument 9818->9817 9819 c1c6ac GetSystemTimePreciseAsFileTime 9818->9819 9820 c0e2ee 9819->9820 9821 c1c26a 4 API calls 9820->9821 9822 c0e358 9821->9822 10257 c02e00 10258 c02e28 10257->10258 10259 c1c68b __Mtx_init_in_situ 2 API calls 10258->10259 10260 c02e33 10259->10260 10347 c08980 10348 c089d8 shared_ptr 10347->10348 10350 c08aea 10347->10350 10349 c05c10 3 API calls 10348->10349 10348->10350 10349->10348 10373 c09f44 10374 c09f4c shared_ptr 10373->10374 10375 c0a953 Sleep CreateMutexA 10374->10375 10376 c0a01f shared_ptr 10374->10376 10377 c0a98e 10375->10377 9823 c1d0c7 9825 c1d0d7 9823->9825 9824 c1d17f 9825->9824 9826 c1d17b RtlWakeAllConditionVariable 9825->9826 10214 c03c47 10215 c03c51 10214->10215 10217 c032d0 5 API calls 10215->10217 10218 c03c5f 10215->10218 10216 c03c68 10217->10218 10218->10216 10219 c03810 3 API calls 10218->10219 10220 c03cdb shared_ptr 10219->10220 10221 c36a44 10222 c36a52 10221->10222 10223 c36a5c 10221->10223 10226 c3698d 10223->10226 10225 c36a76 ___free_lconv_mon 10227 c3690a __cftof 3 API calls 10226->10227 10228 c3699f 10227->10228 10228->10225 10087 c03c8e 10088 c03c98 10087->10088 10090 c03ca5 10088->10090 10095 c02410 10088->10095 10099 c03810 10090->10099 10096 c02424 10095->10096 10103 c1b52d 10096->10103 10100 c0381c 10099->10100 10145 c02440 10100->10145 10111 c33aed 10103->10111 10105 c0242a 10105->10090 10106 c1b5a5 ___std_exception_copy 10118 c1b1ad 10106->10118 10108 c1b598 10114 c1af56 10108->10114 10122 c34f29 10111->10122 10113 c1b555 10113->10105 10113->10106 10113->10108 10115 c1af9f ___std_exception_copy 10114->10115 10117 c1afb2 shared_ptr 10115->10117 10128 c1b39f 10115->10128 10117->10105 10119 c1b1d8 10118->10119 10121 c1b1e1 shared_ptr 10118->10121 10120 c1b39f 4 API calls 10119->10120 10120->10121 10121->10105 10123 c34f2e __cftof 10122->10123 10123->10113 10124 c3d634 __cftof 3 API calls 10123->10124 10127 c38bfc __cftof 10123->10127 10124->10127 10125 c365ed __cftof 3 API calls 10126 c38c2f 10125->10126 10127->10125 10129 c1bedf InitOnceExecuteOnce 10128->10129 10130 c1b3e1 10129->10130 10131 c1b3e8 10130->10131 10139 c36cbb 10130->10139 10131->10117 10140 c36cc7 __cftof 10139->10140 10141 c3a671 __cftof 3 API calls 10140->10141 10142 c36ccc 10141->10142 10143 c38bec __cftof 3 API calls 10142->10143 10144 c36cf6 10143->10144 10148 c1b5d6 10145->10148 10147 c02472 10150 c1b5f1 std::_Throw_future_error 10148->10150 10149 c38bec __cftof 3 API calls 10151 c1b69f 10149->10151 10150->10149 10152 c1b658 __cftof std::invalid_argument::invalid_argument 10150->10152 10152->10147 10351 c02b90 10352 c02bce 10351->10352 10353 c1b7fb TpReleaseWork 10352->10353 10354 c02bdb shared_ptr std::invalid_argument::invalid_argument 10353->10354 10422 c1d111 10424 c1d121 10422->10424 10423 c1d12a 10424->10423 10426 c1d199 10424->10426 10427 c1d1a7 SleepConditionVariableCS 10426->10427 10429 c1d1c0 10426->10429 10427->10429 10429->10424 10430 c02b10 10431 c02b1a 10430->10431 10432 c02b1c 10430->10432 10433 c1c26a 4 API calls 10432->10433 10434 c02b22 10433->10434 9668 c0a856 9669 c0a870 9668->9669 9670 c0a892 shared_ptr 9668->9670 9669->9670 9671 c0a953 Sleep CreateMutexA 9669->9671 9672 c0a98e 9671->9672 10388 c0215a 10391 c1c6fc 10388->10391 10390 c02164 10392 c1c70c 10391->10392 10394 c1c724 10391->10394 10392->10394 10395 c1cfbe 10392->10395 10394->10390 10396 c1ccd5 __Mtx_init_in_situ InitializeCriticalSectionEx 10395->10396 10397 c1cfd0 10396->10397 10397->10392 9827 c09adc 9828 c09aea 9827->9828 9832 c09afe shared_ptr 9827->9832 9829 c0a917 9828->9829 9828->9832 9830 c0a953 Sleep CreateMutexA 9829->9830 9831 c0a98e 9830->9831 9841 c05c10 9832->9841 9834 c09b7c 9859 c08b30 9834->9859 9836 c09b8d 9837 c05c10 3 API calls 9836->9837 9838 c09cb1 9837->9838 9839 c08b30 3 API calls 9838->9839 9840 c09cc2 9839->9840 9842 c05c54 9841->9842 9869 c04b30 9842->9869 9844 c05d17 shared_ptr std::invalid_argument::invalid_argument 9844->9834 9845 c05c7b shared_ptr __cftof 9845->9844 9846 c05c10 3 API calls 9845->9846 9847 c066ac 9846->9847 9848 c05c10 3 API calls 9847->9848 9849 c066b1 9848->9849 9873 c022c0 9849->9873 9851 c066c9 shared_ptr 9852 c05c10 3 API calls 9851->9852 9853 c0673d 9852->9853 9854 c022c0 3 API calls 9853->9854 9856 c06757 shared_ptr 9854->9856 9855 c05c10 3 API calls 9855->9856 9856->9855 9857 c06852 shared_ptr std::invalid_argument::invalid_argument 9856->9857 9858 c022c0 3 API calls 9856->9858 9857->9834 9858->9856 9860 c08b7c 9859->9860 9861 c05c10 3 API calls 9860->9861 9863 c08b97 shared_ptr 9861->9863 9862 c08d01 shared_ptr std::invalid_argument::invalid_argument 9862->9836 9863->9862 9864 c05c10 3 API calls 9863->9864 9866 c08d9a shared_ptr 9864->9866 9865 c08e7e shared_ptr std::invalid_argument::invalid_argument 9865->9836 9866->9865 9867 c05c10 3 API calls 9866->9867 9868 c08f1a shared_ptr std::invalid_argument::invalid_argument 9867->9868 9868->9836 9871 c04ce5 9869->9871 9872 c04b92 9869->9872 9871->9845 9872->9871 9876 c36da6 9872->9876 9962 c02280 9873->9962 9877 c36db4 9876->9877 9880 c36dc2 9876->9880 9881 c36d19 9877->9881 9880->9872 9886 c3690a 9881->9886 9885 c36d3d 9885->9872 9887 c36921 9886->9887 9888 c3692a 9886->9888 9894 c36d52 9887->9894 9888->9887 9889 c3a671 __cftof 3 API calls 9888->9889 9890 c3694a 9889->9890 9900 c3b5fb 9890->9900 9895 c36d8f 9894->9895 9896 c36d5f 9894->9896 9954 c3b67d 9895->9954 9899 c36d6e 9896->9899 9949 c3b6a1 9896->9949 9899->9885 9901 c3b60e 9900->9901 9903 c36960 9900->9903 9901->9903 9908 c3f5ab 9901->9908 9904 c3b628 9903->9904 9905 c3b650 9904->9905 9906 c3b63b 9904->9906 9905->9887 9906->9905 9915 c3e6b1 9906->9915 9909 c3f5b7 __cftof 9908->9909 9910 c3a671 __cftof 3 API calls 9909->9910 9912 c3f5c0 __cftof 9910->9912 9911 c3f606 9911->9903 9912->9911 9913 c38bec __cftof 3 API calls 9912->9913 9914 c3f62b 9913->9914 9916 c3a671 __cftof 3 API calls 9915->9916 9917 c3e6bb 9916->9917 9920 c3e5c9 9917->9920 9919 c3e6c1 9919->9905 9924 c3e5d5 __cftof ___free_lconv_mon 9920->9924 9921 c3e5f6 9921->9919 9922 c38bec __cftof 3 API calls 9923 c3e668 9922->9923 9925 c3e6a4 9923->9925 9929 c3a72e 9923->9929 9924->9921 9924->9922 9925->9919 9933 c3a739 __dosmaperr ___free_lconv_mon 9929->9933 9930 c38bec __cftof 3 API calls 9931 c3a7c7 9930->9931 9932 c3a7be 9934 c3e4b0 9932->9934 9933->9930 9933->9932 9935 c3e5c9 __cftof 3 API calls 9934->9935 9936 c3e4c3 9935->9936 9941 c3e259 9936->9941 9938 c3e4cb __cftof 9940 c3e4dc __cftof __dosmaperr ___free_lconv_mon 9938->9940 9944 c3e6c4 9938->9944 9940->9925 9942 c3690a __cftof GetPEB ExitProcess GetPEB 9941->9942 9943 c3e26b 9942->9943 9943->9938 9945 c3e259 __cftof GetPEB ExitProcess GetPEB 9944->9945 9948 c3e6e4 __cftof 9945->9948 9946 c3e75a __cftof std::invalid_argument::invalid_argument 9946->9940 9947 c3e32f __cftof GetPEB ExitProcess GetPEB 9947->9946 9948->9946 9948->9947 9950 c3690a __cftof 3 API calls 9949->9950 9951 c3b6be 9950->9951 9953 c3b6ce std::invalid_argument::invalid_argument 9951->9953 9959 c3f1bf 9951->9959 9953->9899 9955 c3a671 __cftof 3 API calls 9954->9955 9956 c3b688 9955->9956 9957 c3b5fb __cftof 3 API calls 9956->9957 9958 c3b698 9957->9958 9958->9899 9960 c3690a __cftof 3 API calls 9959->9960 9961 c3f1df __cftof __freea std::invalid_argument::invalid_argument 9960->9961 9961->9953 9963 c02296 9962->9963 9966 c387f8 9963->9966 9969 c37609 9966->9969 9968 c022a4 9968->9851 9970 c37649 9969->9970 9973 c37631 __cftof __dosmaperr std::invalid_argument::invalid_argument 9969->9973 9971 c3690a __cftof 3 API calls 9970->9971 9970->9973 9972 c37661 9971->9972 9975 c37bc4 9972->9975 9973->9968 9977 c37bd5 9975->9977 9976 c37be4 __cftof __dosmaperr 9976->9973 9977->9976 9982 c38168 9977->9982 9987 c37dc2 9977->9987 9992 c37de8 9977->9992 10002 c37f36 9977->10002 9983 c38171 9982->9983 9984 c38178 9982->9984 10011 c37b50 9983->10011 9984->9977 9986 c38177 9986->9977 9988 c37dd2 9987->9988 9989 c37dcb 9987->9989 9988->9977 9990 c37b50 3 API calls 9989->9990 9991 c37dd1 9990->9991 9991->9977 9994 c37def 9992->9994 9995 c37e09 __cftof __dosmaperr 9992->9995 9993 c37f69 10000 c37f77 9993->10000 10001 c37f8b 9993->10001 10029 c38241 9993->10029 9994->9993 9994->9995 9997 c37fa2 9994->9997 9994->10000 9995->9977 9997->10001 10025 c38390 9997->10025 10000->10001 10033 c386ea 10000->10033 10001->9977 10003 c37f69 10002->10003 10006 c37f4f 10002->10006 10005 c37f8b 10003->10005 10007 c38241 3 API calls 10003->10007 10010 c37f77 10003->10010 10004 c37fa2 10004->10005 10008 c38390 3 API calls 10004->10008 10005->9977 10006->10003 10006->10004 10006->10010 10007->10010 10008->10010 10009 c386ea 3 API calls 10009->10005 10010->10005 10010->10009 10012 c37b62 __dosmaperr 10011->10012 10015 c38ab6 10012->10015 10014 c37b85 __dosmaperr 10014->9986 10016 c38ad1 10015->10016 10019 c38868 10016->10019 10018 c38adb 10018->10014 10020 c3887a 10019->10020 10021 c3690a __cftof GetPEB ExitProcess GetPEB 10020->10021 10022 c3888f __cftof __dosmaperr 10020->10022 10024 c388bf 10021->10024 10022->10018 10023 c36d52 GetPEB ExitProcess GetPEB 10023->10024 10024->10022 10024->10023 10026 c383ab 10025->10026 10027 c383dd 10026->10027 10037 c3c88e 10026->10037 10027->10000 10030 c3825a 10029->10030 10044 c3d3c8 10030->10044 10032 c3830d 10032->10000 10032->10032 10034 c38707 10033->10034 10035 c3875d std::invalid_argument::invalid_argument 10033->10035 10034->10035 10036 c3c88e __cftof 3 API calls 10034->10036 10035->10001 10036->10034 10040 c3c733 10037->10040 10039 c3c8a6 10039->10027 10041 c3c743 10040->10041 10042 c3c748 __cftof __dosmaperr 10041->10042 10043 c3690a __cftof GetPEB ExitProcess GetPEB 10041->10043 10042->10039 10043->10042 10046 c3d3ee 10044->10046 10054 c3d3d8 __cftof __dosmaperr 10044->10054 10045 c3d485 10049 c3d4e4 10045->10049 10050 c3d4ae 10045->10050 10046->10045 10047 c3d48a 10046->10047 10046->10054 10057 c3cbdf 10047->10057 10074 c3cef8 10049->10074 10052 c3d4b3 10050->10052 10053 c3d4cc 10050->10053 10063 c3d23e 10052->10063 10070 c3d0e2 10053->10070 10054->10032 10058 c3cbf1 10057->10058 10059 c3690a __cftof GetPEB ExitProcess GetPEB 10058->10059 10060 c3cc05 10059->10060 10061 c3cef8 GetPEB ExitProcess GetPEB 10060->10061 10062 c3cc0d __alldvrm __cftof __dosmaperr _strrchr 10060->10062 10061->10062 10062->10054 10064 c3d26c 10063->10064 10065 c3d2de 10064->10065 10068 c3d2b7 10064->10068 10069 c3d2a5 10064->10069 10066 c3cf9a GetPEB ExitProcess GetPEB 10065->10066 10066->10069 10067 c3d16d GetPEB ExitProcess GetPEB 10067->10069 10068->10067 10069->10054 10071 c3d10f 10070->10071 10072 c3d14e 10071->10072 10073 c3d16d GetPEB ExitProcess GetPEB 10071->10073 10072->10054 10073->10072 10075 c3cf10 10074->10075 10076 c3cf75 10075->10076 10077 c3cf9a GetPEB ExitProcess GetPEB 10075->10077 10076->10054 10077->10076 10355 c03f9f 10356 c03fb6 10355->10356 10357 c03fad 10355->10357 10358 c02410 4 API calls 10357->10358 10358->10356 10153 c020a0 10154 c1c68b __Mtx_init_in_situ 2 API calls 10153->10154 10155 c020ac 10154->10155 10266 c03fe0 10267 c04022 10266->10267 10268 c040d2 10267->10268 10269 c0408c 10267->10269 10272 c04035 std::invalid_argument::invalid_argument 10267->10272 10279 c03ee0 10268->10279 10273 c035e0 10269->10273 10274 c03616 10273->10274 10278 c0364e Concurrency::cancel_current_task shared_ptr std::invalid_argument::invalid_argument 10274->10278 10285 c02ce0 10274->10285 10276 c0369e 10276->10278 10294 c02c00 10276->10294 10278->10272 10280 c03f48 10279->10280 10281 c03f1e 10279->10281 10282 c03f58 10280->10282 10283 c02c00 3 API calls 10280->10283 10281->10272 10282->10272 10284 c03f7f 10283->10284 10284->10272 10286 c02d1d 10285->10286 10287 c1bedf InitOnceExecuteOnce 10286->10287 10288 c02d46 10287->10288 10289 c02d88 10288->10289 10291 c02d51 std::invalid_argument::invalid_argument 10288->10291 10301 c1bef7 10288->10301 10292 c02440 3 API calls 10289->10292 10291->10276 10293 c02d9b 10292->10293 10293->10276 10295 c02c0e 10294->10295 10314 c1b847 10295->10314 10297 c02c42 10298 c02c49 10297->10298 10320 c02c80 10297->10320 10298->10278 10300 c02c58 std::_Throw_future_error 10302 c1bf03 std::_Throw_future_error 10301->10302 10303 c1bf73 10302->10303 10304 c1bf6a 10302->10304 10306 c02ae0 4 API calls 10303->10306 10308 c1be7f 10304->10308 10307 c1bf6f 10306->10307 10307->10289 10309 c1cc31 InitOnceExecuteOnce 10308->10309 10310 c1be97 10309->10310 10311 c1be9e 10310->10311 10312 c36cbb 3 API calls 10310->10312 10311->10307 10313 c1bea7 10312->10313 10313->10307 10315 c1b854 10314->10315 10319 c1b873 Concurrency::details::_Reschedule_chore 10314->10319 10323 c1cb77 10315->10323 10317 c1b864 10317->10319 10325 c1b81e 10317->10325 10319->10297 10331 c1b7fb 10320->10331 10322 c02cb2 shared_ptr 10322->10300 10324 c1cb92 CreateThreadpoolWork 10323->10324 10324->10317 10326 c1b827 Concurrency::details::_Reschedule_chore 10325->10326 10329 c1cdcc 10326->10329 10328 c1b841 10328->10319 10330 c1cde1 TpPostWork 10329->10330 10330->10328 10332 c1b807 10331->10332 10333 c1b817 10331->10333 10332->10333 10335 c1ca78 10332->10335 10333->10322 10336 c1ca8d TpReleaseWork 10335->10336 10336->10333 10435 c04120 10436 c0416a 10435->10436 10437 c03ee0 3 API calls 10436->10437 10438 c041b2 std::invalid_argument::invalid_argument 10436->10438 10437->10438 10359 c09ba5 10360 c09ba7 10359->10360 10361 c05c10 3 API calls 10360->10361 10362 c09cb1 10361->10362 10363 c08b30 3 API calls 10362->10363 10364 c09cc2 10363->10364 9673 c36629 9676 c364c7 9673->9676 9677 c364d5 __cftof 9676->9677 9678 c36520 9677->9678 9681 c3652b 9677->9681 9680 c3652a 9687 c3a302 GetPEB 9681->9687 9683 c36535 9684 c3654a __cftof 9683->9684 9685 c3653a GetPEB 9683->9685 9686 c36562 ExitProcess 9684->9686 9685->9684 9688 c3a31c __cftof 9687->9688 9688->9683 10156 c05cad 10158 c05caf shared_ptr __cftof 10156->10158 10157 c05d17 shared_ptr std::invalid_argument::invalid_argument 10158->10157 10159 c05c10 3 API calls 10158->10159 10160 c066ac 10159->10160 10161 c05c10 3 API calls 10160->10161 10162 c066b1 10161->10162 10163 c022c0 3 API calls 10162->10163 10164 c066c9 shared_ptr 10163->10164 10165 c05c10 3 API calls 10164->10165 10166 c0673d 10165->10166 10167 c022c0 3 API calls 10166->10167 10169 c06757 shared_ptr 10167->10169 10168 c05c10 3 API calls 10168->10169 10169->10168 10170 c06852 shared_ptr std::invalid_argument::invalid_argument 10169->10170 10171 c022c0 3 API calls 10169->10171 10171->10169 10172 c042b0 10175 c03ac0 10172->10175 10174 c042bb shared_ptr 10176 c03af9 10175->10176 10179 c03c38 10176->10179 10180 c03b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 10176->10180 10185 c032d0 10176->10185 10178 c032d0 5 API calls 10182 c03c5f 10178->10182 10179->10178 10179->10182 10180->10174 10181 c03c68 10181->10174 10182->10181 10183 c03810 3 API calls 10182->10183 10184 c03cdb shared_ptr 10183->10184 10184->10174 10186 c1c6ac GetSystemTimePreciseAsFileTime 10185->10186 10189 c03314 10186->10189 10187 c1c26a 4 API calls 10188 c0333c __Mtx_unlock 10187->10188 10190 c1c26a 4 API calls 10188->10190 10192 c03350 std::invalid_argument::invalid_argument 10188->10192 10189->10187 10189->10188 10191 c03377 10190->10191 10193 c1c6ac GetSystemTimePreciseAsFileTime 10191->10193 10192->10179 10194 c033af 10193->10194 10195 c1c26a 4 API calls 10194->10195 10196 c033b6 10194->10196 10195->10196 10197 c1c26a 4 API calls 10196->10197 10198 c033d7 __Mtx_unlock 10196->10198 10197->10198 10199 c1c26a 4 API calls 10198->10199 10200 c033eb 10198->10200 10201 c0340e 10199->10201 10200->10179 10201->10179 10337 c055f0 10338 c05610 10337->10338 10339 c022c0 3 API calls 10338->10339 10340 c05710 std::invalid_argument::invalid_argument 10338->10340 10339->10338 10341 c043f0 10342 c1bedf InitOnceExecuteOnce 10341->10342 10343 c0440a 10342->10343 10344 c04411 10343->10344 10345 c36cbb 3 API calls 10343->10345 10346 c04424 10345->10346 10398 c03970 10399 c1c68b __Mtx_init_in_situ 2 API calls 10398->10399 10400 c039a7 10399->10400 10401 c1c68b __Mtx_init_in_situ 2 API calls 10400->10401 10402 c039e6 10401->10402 10403 c02170 10404 c1c6fc InitializeCriticalSectionEx 10403->10404 10405 c0217a 10404->10405 10229 c04276 10230 c02410 4 API calls 10229->10230 10231 c0427f 10230->10231 10202 c09ab8 10204 c09acc 10202->10204 10205 c09b08 10204->10205 10206 c05c10 3 API calls 10205->10206 10207 c09b7c 10206->10207 10208 c08b30 3 API calls 10207->10208 10209 c09b8d 10208->10209 10210 c05c10 3 API calls 10209->10210 10211 c09cb1 10210->10211 10212 c08b30 3 API calls 10211->10212 10213 c09cc2 10212->10213 10237 c0cc79 10239 c0cc84 shared_ptr 10237->10239 10238 c0ccda shared_ptr std::invalid_argument::invalid_argument 10239->10238 10240 c05c10 3 API calls 10239->10240 10241 c0ce9d 10240->10241 10243 c0ca70 10241->10243 10244 c0cadd 10243->10244 10246 c05c10 3 API calls 10244->10246 10250 c0cc87 10244->10250 10245 c0ccda shared_ptr std::invalid_argument::invalid_argument 10247 c0ccf9 10246->10247 10253 c09030 10247->10253 10249 c05c10 3 API calls 10251 c0ce9d 10249->10251 10250->10245 10250->10249 10252 c0ca70 3 API calls 10251->10252 10254 c09080 10253->10254 10255 c05c10 3 API calls 10254->10255 10256 c0909a shared_ptr std::invalid_argument::invalid_argument 10255->10256 10256->10250 10370 c38bbe 10371 c38868 3 API calls 10370->10371 10372 c38bdc 10371->10372

                                                                                                                          Executed Functions

                                                                                                                          Function 00C3652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 342 c3652b-c36538 call c3a302 345 c3655a-c3656c call c3656d ExitProcess 342->345 346 c3653a-c36548 GetPEB 342->346 346->345 348 c3654a-c36559 346->348 348->345
                                                                                                                          APIs
                                                                                                                          • ExitProcess.KERNEL32(?,?,00C3652A,?,?,?,?,?,00C37661), ref: 00C36566
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: ExitProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 621844428-0
                                                                                                                          • Opcode ID: 7286ee92fc39da155a0cd25079724ce8d1a0c2384fe8224888a21ccd8523c4c7
                                                                                                                          • Instruction ID: c13a033f67465983f3e0c7fdaa108129658ed7c884336c481ba8b1c4da7f5c07
                                                                                                                          • Opcode Fuzzy Hash: 7286ee92fc39da155a0cd25079724ce8d1a0c2384fe8224888a21ccd8523c4c7
                                                                                                                          • Instruction Fuzzy Hash: 40E08C30161108BBCF25BB59D84DE883B69EB51741F009824FD2A8A225CB35DE82EA90
                                                                                                                          Function 00C09BA5 Relevance: 3.1, APIs: 2, Instructions: 140sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 5a0118fa8509c582d8d2c90f973dbe3b64af2b34dc25bc07aba73b946e560f2a
                                                                                                                          • Instruction ID: 426189ee9b5c2ac287d0c3eddd78a5e28594f5ba8bee796a43934be0bf7c27e9
                                                                                                                          • Opcode Fuzzy Hash: 5a0118fa8509c582d8d2c90f973dbe3b64af2b34dc25bc07aba73b946e560f2a
                                                                                                                          • Instruction Fuzzy Hash: D6313B71B042049BEB18DB78DC8976DB7B2EBC6320F248618F015A73D6C7B54A81C751
                                                                                                                          Function 00C09F44 Relevance: 3.1, APIs: 2, Instructions: 137sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 22 c09f44-c09f64 26 c09f92-c09fae 22->26 27 c09f66-c09f72 22->27 30 c09fb0-c09fbc 26->30 31 c09fdc-c09ffb 26->31 28 c09f74-c09f82 27->28 29 c09f88-c09f8f call c1d663 27->29 28->29 34 c0a92b 28->34 29->26 36 c09fd2-c09fd9 call c1d663 30->36 37 c09fbe-c09fcc 30->37 32 c0a029-c0a916 call c180c0 31->32 33 c09ffd-c0a009 31->33 38 c0a00b-c0a019 33->38 39 c0a01f-c0a026 call c1d663 33->39 41 c0a953-c0a994 Sleep CreateMutexA 34->41 42 c0a92b call c36c6a 34->42 36->31 37->34 37->36 38->34 38->39 39->32 52 c0a996-c0a998 41->52 53 c0a9a7-c0a9a8 41->53 42->41 52->53 54 c0a99a-c0a9a5 52->54 54->53
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 821162cfe7721504cbd54b0b7c7195e05f566e883b120601ddaa97f62a80dee4
                                                                                                                          • Instruction ID: e3427dbad9cc89c415424c0505154f82cb6c1735cd974942e44d084ad87151c2
                                                                                                                          • Opcode Fuzzy Hash: 821162cfe7721504cbd54b0b7c7195e05f566e883b120601ddaa97f62a80dee4
                                                                                                                          • Instruction Fuzzy Hash: FD3139317042059BEB18DBB8DC997ADB7B2EBC6320F248618F025E72D6C7758A81C752
                                                                                                                          Function 00C0A079 Relevance: 3.1, APIs: 2, Instructions: 136sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 56 c0a079-c0a099 60 c0a0c7-c0a0e3 56->60 61 c0a09b-c0a0a7 56->61 64 c0a111-c0a130 60->64 65 c0a0e5-c0a0f1 60->65 62 c0a0a9-c0a0b7 61->62 63 c0a0bd-c0a0c4 call c1d663 61->63 62->63 68 c0a930 62->68 63->60 66 c0a132-c0a13e 64->66 67 c0a15e-c0a916 call c180c0 64->67 70 c0a0f3-c0a101 65->70 71 c0a107-c0a10e call c1d663 65->71 73 c0a140-c0a14e 66->73 74 c0a154-c0a15b call c1d663 66->74 77 c0a953-c0a994 Sleep CreateMutexA 68->77 78 c0a930 call c36c6a 68->78 70->68 70->71 71->64 73->68 73->74 74->67 86 c0a996-c0a998 77->86 87 c0a9a7-c0a9a8 77->87 78->77 86->87 88 c0a99a-c0a9a5 86->88 88->87
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: ee97c223b47c649d4538b85019b0fcef1071c116e9c295e54b1ad7f0917c7082
                                                                                                                          • Instruction ID: 02f9954753b22816d7fc63f68040f20e11160581eb7f2badc23459a4d405bf49
                                                                                                                          • Opcode Fuzzy Hash: ee97c223b47c649d4538b85019b0fcef1071c116e9c295e54b1ad7f0917c7082
                                                                                                                          • Instruction Fuzzy Hash: D3314831704304DBEB18DB78DC89BADB7B2DB82310F248618E025A73D1C7769981C752
                                                                                                                          Function 00C0A1AE Relevance: 3.1, APIs: 2, Instructions: 135sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 90 c0a1ae-c0a1ce 94 c0a1d0-c0a1dc 90->94 95 c0a1fc-c0a218 90->95 96 c0a1f2-c0a1f9 call c1d663 94->96 97 c0a1de-c0a1ec 94->97 98 c0a246-c0a265 95->98 99 c0a21a-c0a226 95->99 96->95 97->96 102 c0a935 97->102 100 c0a293-c0a916 call c180c0 98->100 101 c0a267-c0a273 98->101 104 c0a228-c0a236 99->104 105 c0a23c-c0a243 call c1d663 99->105 107 c0a275-c0a283 101->107 108 c0a289-c0a290 call c1d663 101->108 110 c0a953-c0a994 Sleep CreateMutexA 102->110 111 c0a935 call c36c6a 102->111 104->102 104->105 105->98 107->102 107->108 108->100 120 c0a996-c0a998 110->120 121 c0a9a7-c0a9a8 110->121 111->110 120->121 122 c0a99a-c0a9a5 120->122 122->121
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 25814c8e4d67d54f38a7e77582b7b97792dbc3a4d9d3cb82698ae3cbb3787c89
                                                                                                                          • Instruction ID: 1f7051e9e8c5aae90542723381899163756ce3fff181137c84e249c78bd4ed84
                                                                                                                          • Opcode Fuzzy Hash: 25814c8e4d67d54f38a7e77582b7b97792dbc3a4d9d3cb82698ae3cbb3787c89
                                                                                                                          • Instruction Fuzzy Hash: 37310831704340DBEB18DBB8DC89BADB7B2ABC6310F248618F014AB2D5D7769981C752
                                                                                                                          Function 00C0A418 Relevance: 3.1, APIs: 2, Instructions: 133sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 124 c0a418-c0a438 128 c0a466-c0a482 124->128 129 c0a43a-c0a446 124->129 132 c0a4b0-c0a4cf 128->132 133 c0a484-c0a490 128->133 130 c0a448-c0a456 129->130 131 c0a45c-c0a463 call c1d663 129->131 130->131 134 c0a93f-c0a949 call c36c6a * 2 130->134 131->128 138 c0a4d1-c0a4dd 132->138 139 c0a4fd-c0a916 call c180c0 132->139 136 c0a492-c0a4a0 133->136 137 c0a4a6-c0a4ad call c1d663 133->137 155 c0a94e-c0a994 call c36c6a Sleep CreateMutexA 134->155 156 c0a949 call c36c6a 134->156 136->134 136->137 137->132 140 c0a4f3-c0a4fa call c1d663 138->140 141 c0a4df-c0a4ed 138->141 140->139 141->134 141->140 160 c0a996-c0a998 155->160 161 c0a9a7-c0a9a8 155->161 156->155 160->161 162 c0a99a-c0a9a5 160->162 162->161
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 9f28a3ced345711e75f0ac64ce12293748005672f3eba931835142ecbcb9c49b
                                                                                                                          • Instruction ID: cdb2407e982db3e3069c2cd552239541e6aac71175ab669f09b85d874ee926d3
                                                                                                                          • Opcode Fuzzy Hash: 9f28a3ced345711e75f0ac64ce12293748005672f3eba931835142ecbcb9c49b
                                                                                                                          • Instruction Fuzzy Hash: 91310931B143009BEB189BB8D8CDB6DB771EF86310F248618F054AB2D5D7B54981D752
                                                                                                                          Function 00C0A54D Relevance: 3.1, APIs: 2, Instructions: 132sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 164 c0a54d-c0a56d 168 c0a59b-c0a5b7 164->168 169 c0a56f-c0a57b 164->169 172 c0a5e5-c0a604 168->172 173 c0a5b9-c0a5c5 168->173 170 c0a591-c0a598 call c1d663 169->170 171 c0a57d-c0a58b 169->171 170->168 171->170 174 c0a944-c0a949 call c36c6a 171->174 178 c0a632-c0a916 call c180c0 172->178 179 c0a606-c0a612 172->179 176 c0a5c7-c0a5d5 173->176 177 c0a5db-c0a5e2 call c1d663 173->177 192 c0a94e-c0a994 call c36c6a Sleep CreateMutexA 174->192 193 c0a949 call c36c6a 174->193 176->174 176->177 177->172 184 c0a614-c0a622 179->184 185 c0a628-c0a62f call c1d663 179->185 184->174 184->185 185->178 198 c0a996-c0a998 192->198 199 c0a9a7-c0a9a8 192->199 193->192 198->199 200 c0a99a-c0a9a5 198->200 200->199
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: cde92de578c60f0b3982ac641b17e66dad577ee6ea4532e14a1017c379062fb0
                                                                                                                          • Instruction ID: 379f986774dc7c185e74d1ec223d97d2d32c7b13815d86f9c7abc879cd0dbe25
                                                                                                                          • Opcode Fuzzy Hash: cde92de578c60f0b3982ac641b17e66dad577ee6ea4532e14a1017c379062fb0
                                                                                                                          • Instruction Fuzzy Hash: 943116317042009BEB18DBB8DC99BADB7B2EBC6324F248618F054AB2D1C7758981D712
                                                                                                                          Function 00C0A682 Relevance: 3.1, APIs: 2, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 202 c0a682-c0a6a2 206 c0a6d0-c0a6ec 202->206 207 c0a6a4-c0a6b0 202->207 210 c0a71a-c0a739 206->210 211 c0a6ee-c0a6fa 206->211 208 c0a6b2-c0a6c0 207->208 209 c0a6c6-c0a6cd call c1d663 207->209 208->209 214 c0a949 208->214 209->206 212 c0a767-c0a916 call c180c0 210->212 213 c0a73b-c0a747 210->213 216 c0a710-c0a717 call c1d663 211->216 217 c0a6fc-c0a70a 211->217 219 c0a749-c0a757 213->219 220 c0a75d-c0a764 call c1d663 213->220 223 c0a94e-c0a994 call c36c6a Sleep CreateMutexA 214->223 224 c0a949 call c36c6a 214->224 216->210 217->214 217->216 219->214 219->220 220->212 234 c0a996-c0a998 223->234 235 c0a9a7-c0a9a8 223->235 224->223 234->235 236 c0a99a-c0a9a5 234->236 236->235
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: cd59f535df878544c364b54319630a37d8723bebb4d968f4c69ac3ed5a18ce84
                                                                                                                          • Instruction ID: bdd666cb56890dcc44fa1827d7f1a74a451cd485fcc022d7648afc883d52b98a
                                                                                                                          • Opcode Fuzzy Hash: cd59f535df878544c364b54319630a37d8723bebb4d968f4c69ac3ed5a18ce84
                                                                                                                          • Instruction Fuzzy Hash: 533108317043449BEB18DB7CDC89B6DB7B2DB86320F248618F014A72D5C7B58A81D756
                                                                                                                          Function 00C09ADC Relevance: 3.1, APIs: 2, Instructions: 107sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 238 c09adc-c09ae8 239 c09aea-c09af8 238->239 240 c09afe-c09d91 call c1d663 call c17a00 call c05c10 call c08b30 call c18220 call c17a00 call c05c10 call c08b30 call c18220 238->240 239->240 241 c0a917 239->241 243 c0a953-c0a994 Sleep CreateMutexA 241->243 244 c0a917 call c36c6a 241->244 249 c0a996-c0a998 243->249 250 c0a9a7-c0a9a8 243->250 244->243 249->250 253 c0a99a-c0a9a5 249->253 253->250
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 9cc09855239e834fc74c530f72b666e10bad23493f1602f97c7db8288846aa09
                                                                                                                          • Instruction ID: e2f55748943e9e80800b277ac3767bbd79ef9bce75e784bdb472ec4a3ce59ad0
                                                                                                                          • Opcode Fuzzy Hash: 9cc09855239e834fc74c530f72b666e10bad23493f1602f97c7db8288846aa09
                                                                                                                          • Instruction Fuzzy Hash: F9212C317042409BEB289F68DCD976DF7A1EBC2310F244619F414972D6D7B55981C752
                                                                                                                          Function 00C0A856 Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 306 c0a856-c0a86e 307 c0a870-c0a87c 306->307 308 c0a89c-c0a89e 306->308 309 c0a892-c0a899 call c1d663 307->309 310 c0a87e-c0a88c 307->310 311 c0a8a0-c0a8a7 308->311 312 c0a8a9-c0a8b1 call c07d30 308->312 309->308 310->309 313 c0a94e-c0a987 call c36c6a Sleep CreateMutexA 310->313 315 c0a8eb-c0a916 call c180c0 311->315 322 c0a8b3-c0a8bb call c07d30 312->322 323 c0a8e4-c0a8e6 312->323 327 c0a98e-c0a994 313->327 322->323 328 c0a8bd-c0a8c5 call c07d30 322->328 323->315 329 c0a996-c0a998 327->329 330 c0a9a7-c0a9a8 327->330 328->323 334 c0a8c7-c0a8cf call c07d30 328->334 329->330 332 c0a99a-c0a9a5 329->332 332->330 334->323 338 c0a8d1-c0a8d9 call c07d30 334->338 338->323 341 c0a8db-c0a8e2 338->341 341->315
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 39a3a3a1dfd35cb2ee92436f50087d405315d052d8ee053865a8a08513be7907
                                                                                                                          • Instruction ID: 8f699a0ca99532b55045a1a6da128439c104f7791e713aff386105150634bc0a
                                                                                                                          • Opcode Fuzzy Hash: 39a3a3a1dfd35cb2ee92436f50087d405315d052d8ee053865a8a08513be7907
                                                                                                                          • Instruction Fuzzy Hash: 912161317483019BFB2CA7689C9B73DB361DF81300F248A16F554E66D1CBB55A85D293
                                                                                                                          Function 00C0A34F Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 283 c0a34f-c0a35b 284 c0a371-c0a39a call c1d663 283->284 285 c0a35d-c0a36b 283->285 291 c0a3c8-c0a916 call c180c0 284->291 292 c0a39c-c0a3a8 284->292 285->284 286 c0a93a 285->286 288 c0a953-c0a994 Sleep CreateMutexA 286->288 289 c0a93a call c36c6a 286->289 299 c0a996-c0a998 288->299 300 c0a9a7-c0a9a8 288->300 289->288 293 c0a3aa-c0a3b8 292->293 294 c0a3be-c0a3c5 call c1d663 292->294 293->286 293->294 294->291 299->300 303 c0a99a-c0a9a5 299->303 303->300
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(00000064), ref: 00C0A963
                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00C63254), ref: 00C0A981
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1464230837-0
                                                                                                                          • Opcode ID: 7305560e31f081657856ce0353c568ecc4dc53922cd8ffaac9dc88b26e14fc0b
                                                                                                                          • Instruction ID: beb40010f2d123de988bb96059261464db910a4f3d0f224a2d9958cb3ba613b9
                                                                                                                          • Opcode Fuzzy Hash: 7305560e31f081657856ce0353c568ecc4dc53922cd8ffaac9dc88b26e14fc0b
                                                                                                                          • Instruction Fuzzy Hash: 742149327443009BEB189B68DC8976DB7B2DBD2310F244619F414A76E1C7B59A80C752

                                                                                                                          Non-executed Functions

                                                                                                                          Function 00C3CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: _strrchr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3213747228-0
                                                                                                                          • Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                          • Instruction ID: c72fbae239f92e39686cae6ab471efbbc6d61bd7a58a516e724c9b4d0892f1ff
                                                                                                                          • Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                          • Instruction Fuzzy Hash: 54B14632D242459FDB15CF28C8C17BEBBE5EF45340F24816AE865FB242D6349E42CB60
                                                                                                                          Function 00C02EC0 Relevance: 6.3, APIs: 4, Instructions: 272COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.1746862422.0000000000C01000.00000040.00000001.01000000.00000008.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.1746787964.0000000000C00000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1746862422.0000000000C62000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747076476.0000000000C69000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747110950.0000000000C6B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747146114.0000000000C77000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747310554.0000000000DC8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747388432.0000000000DCB000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DDB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747438436.0000000000DE9000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747542494.0000000000DEC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747624893.0000000000DEF000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747642690.0000000000DF1000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747685662.0000000000DF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747714200.0000000000DFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747740046.0000000000DFB000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747756143.0000000000DFC000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747772120.0000000000E03000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747790630.0000000000E17000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747862479.0000000000E18000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747882111.0000000000E19000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747929285.0000000000E2A000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747955981.0000000000E48000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1747988000.0000000000E4E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748046388.0000000000E55000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748072179.0000000000E58000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748126117.0000000000E59000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748153573.0000000000E5E000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748232890.0000000000E6B000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748294383.0000000000E6D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748327330.0000000000E76000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748375237.0000000000E78000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748466358.0000000000E79000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748507936.0000000000E7D000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748543912.0000000000E86000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748562283.0000000000E88000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748585802.0000000000EA5000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748603620.0000000000EA6000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748677233.0000000000EB9000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EBA000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1748798251.0000000000EC5000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751733020.0000000000EF3000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751769925.0000000000EF4000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751848309.0000000000EF8000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751872855.0000000000EFA000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751913208.0000000000F09000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.1751940824.0000000000F0A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_c00000_skotes.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Mtx_unlock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1418687624-0
                                                                                                                          • Opcode ID: 9ba48bada7c892775353d63bb6dcae00e3a8a749a580364d2bdcbca142ff29d8
                                                                                                                          • Instruction ID: a0c9272a84a0e3b9128aa6d6aa76a7d4e77691e3125e6a46af7c539b09378cd7
                                                                                                                          • Opcode Fuzzy Hash: 9ba48bada7c892775353d63bb6dcae00e3a8a749a580364d2bdcbca142ff29d8
                                                                                                                          • Instruction Fuzzy Hash: 67A1F270A01255EFDB20DFA5C9857AAB7B8FF1A314F048129F825D7281EB31EB44DB91

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:12.7%
                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                          Signature Coverage:5.4%
                                                                                                                          Total number of Nodes:995
                                                                                                                          Total number of Limit Nodes:9
                                                                                                                          execution_graph 12597 6c392278 12600 6c389e00 12597->12600 12601 6c389e26 std::bad_exception::bad_exception 12600->12601 12602 6c38a316 12601->12602 12603 6c392a8c 25 API calls ___std_exception_copy 12601->12603 12603->12601 12604 6c391c5f 12605 6c391c67 ___scrt_release_startup_lock 12604->12605 12608 6c39472c 12605->12608 12607 6c391c8f 12609 6c39473b 12608->12609 12610 6c39473f 12608->12610 12609->12607 12613 6c39474c 12610->12613 12614 6c395a5e __dosmaperr 14 API calls 12613->12614 12615 6c394748 12614->12615 12615->12607 11878 6c395d3e 11883 6c395d4b __dosmaperr 11878->11883 11879 6c395d8b 11888 6c395d2b 11879->11888 11880 6c395d76 RtlAllocateHeap 11881 6c395d89 11880->11881 11880->11883 11883->11879 11883->11880 11885 6c39460a 11883->11885 11891 6c394637 11885->11891 11902 6c395a5e GetLastError 11888->11902 11890 6c395d30 11890->11881 11892 6c394643 ___scrt_is_nonwritable_in_current_image 11891->11892 11897 6c395b9a EnterCriticalSection 11892->11897 11894 6c39464e 11898 6c39468a 11894->11898 11897->11894 11901 6c395be2 LeaveCriticalSection 11898->11901 11900 6c394615 11900->11883 11901->11900 11903 6c395a7b 11902->11903 11904 6c395a75 11902->11904 11923 6c395a81 SetLastError 11903->11923 11930 6c3974ee 11903->11930 11925 6c3974af 11904->11925 11911 6c395ac8 11913 6c3974ee __dosmaperr 6 API calls 11911->11913 11912 6c395ab1 11914 6c3974ee __dosmaperr 6 API calls 11912->11914 11915 6c395ad4 11913->11915 11916 6c395abf 11914->11916 11917 6c395ae9 11915->11917 11918 6c395ad8 11915->11918 11942 6c395c47 11916->11942 11948 6c395709 11917->11948 11919 6c3974ee __dosmaperr 6 API calls 11918->11919 11919->11916 11923->11890 11924 6c395c47 _free 12 API calls 11924->11923 11953 6c39734f 11925->11953 11927 6c3974cb 11928 6c3974d4 11927->11928 11929 6c3974e6 TlsGetValue 11927->11929 11928->11903 11931 6c39734f __dosmaperr 5 API calls 11930->11931 11932 6c39750a 11931->11932 11933 6c397528 TlsSetValue 11932->11933 11934 6c395a99 11932->11934 11934->11923 11935 6c395d3e 11934->11935 11940 6c395d4b __dosmaperr 11935->11940 11936 6c395d8b 11939 6c395d2b _free 13 API calls 11936->11939 11937 6c395d76 RtlAllocateHeap 11938 6c395aa9 11937->11938 11937->11940 11938->11911 11938->11912 11939->11938 11940->11936 11940->11937 11941 6c39460a __dosmaperr 2 API calls 11940->11941 11941->11940 11943 6c395c7b _free 11942->11943 11944 6c395c52 HeapFree 11942->11944 11943->11923 11944->11943 11945 6c395c67 11944->11945 11946 6c395d2b _free 12 API calls 11945->11946 11947 6c395c6d GetLastError 11946->11947 11947->11943 11966 6c39559d 11948->11966 11954 6c39737d 11953->11954 11958 6c397379 __dosmaperr 11953->11958 11954->11958 11959 6c397288 11954->11959 11957 6c397397 GetProcAddress 11957->11958 11958->11927 11960 6c397299 ___vcrt_FlsSetValue 11959->11960 11961 6c3972b7 LoadLibraryExW 11960->11961 11963 6c39732d FreeLibrary 11960->11963 11964 6c397344 11960->11964 11965 6c397305 LoadLibraryExW 11960->11965 11961->11960 11962 6c3972d2 GetLastError 11961->11962 11962->11960 11963->11960 11964->11957 11964->11958 11965->11960 11967 6c3955a9 ___scrt_is_nonwritable_in_current_image 11966->11967 11980 6c395b9a EnterCriticalSection 11967->11980 11969 6c3955b3 11981 6c3955e3 11969->11981 11972 6c3956af 11973 6c3956bb ___scrt_is_nonwritable_in_current_image 11972->11973 11985 6c395b9a EnterCriticalSection 11973->11985 11975 6c3956c5 11986 6c395890 11975->11986 11977 6c3956dd 11990 6c3956fd 11977->11990 11980->11969 11984 6c395be2 LeaveCriticalSection 11981->11984 11983 6c3955d1 11983->11972 11984->11983 11985->11975 11987 6c39589f __fassign 11986->11987 11989 6c3958c6 __fassign 11986->11989 11987->11989 11993 6c398360 11987->11993 11989->11977 12107 6c395be2 LeaveCriticalSection 11990->12107 11992 6c3956eb 11992->11924 11994 6c3983e0 11993->11994 11997 6c398376 11993->11997 11995 6c39842e 11994->11995 11998 6c395c47 _free 14 API calls 11994->11998 12061 6c3984d1 11995->12061 11997->11994 11999 6c3983a9 11997->11999 12004 6c395c47 _free 14 API calls 11997->12004 12000 6c398402 11998->12000 12001 6c3983cb 11999->12001 12009 6c395c47 _free 14 API calls 11999->12009 12002 6c395c47 _free 14 API calls 12000->12002 12003 6c395c47 _free 14 API calls 12001->12003 12005 6c398415 12002->12005 12006 6c3983d5 12003->12006 12008 6c39839e 12004->12008 12010 6c395c47 _free 14 API calls 12005->12010 12011 6c395c47 _free 14 API calls 12006->12011 12007 6c39849c 12012 6c395c47 _free 14 API calls 12007->12012 12021 6c39a297 12008->12021 12014 6c3983c0 12009->12014 12015 6c398423 12010->12015 12011->11994 12016 6c3984a2 12012->12016 12049 6c39a395 12014->12049 12019 6c395c47 _free 14 API calls 12015->12019 12016->11989 12017 6c39843c 12017->12007 12020 6c395c47 14 API calls _free 12017->12020 12019->11995 12020->12017 12022 6c39a2a8 12021->12022 12048 6c39a391 12021->12048 12023 6c39a2b9 12022->12023 12024 6c395c47 _free 14 API calls 12022->12024 12025 6c39a2cb 12023->12025 12026 6c395c47 _free 14 API calls 12023->12026 12024->12023 12027 6c39a2dd 12025->12027 12028 6c395c47 _free 14 API calls 12025->12028 12026->12025 12029 6c39a2ef 12027->12029 12030 6c395c47 _free 14 API calls 12027->12030 12028->12027 12031 6c39a301 12029->12031 12032 6c395c47 _free 14 API calls 12029->12032 12030->12029 12033 6c39a313 12031->12033 12034 6c395c47 _free 14 API calls 12031->12034 12032->12031 12035 6c39a325 12033->12035 12036 6c395c47 _free 14 API calls 12033->12036 12034->12033 12037 6c39a337 12035->12037 12038 6c395c47 _free 14 API calls 12035->12038 12036->12035 12039 6c39a349 12037->12039 12040 6c395c47 _free 14 API calls 12037->12040 12038->12037 12041 6c395c47 _free 14 API calls 12039->12041 12042 6c39a35b 12039->12042 12040->12039 12041->12042 12043 6c395c47 _free 14 API calls 12042->12043 12044 6c39a36d 12042->12044 12043->12044 12045 6c39a37f 12044->12045 12046 6c395c47 _free 14 API calls 12044->12046 12047 6c395c47 _free 14 API calls 12045->12047 12045->12048 12046->12045 12047->12048 12048->11999 12050 6c39a3fa 12049->12050 12051 6c39a3a2 12049->12051 12050->12001 12052 6c39a3b2 12051->12052 12053 6c395c47 _free 14 API calls 12051->12053 12054 6c39a3c4 12052->12054 12056 6c395c47 _free 14 API calls 12052->12056 12053->12052 12055 6c39a3d6 12054->12055 12057 6c395c47 _free 14 API calls 12054->12057 12058 6c39a3e8 12055->12058 12059 6c395c47 _free 14 API calls 12055->12059 12056->12054 12057->12055 12058->12050 12060 6c395c47 _free 14 API calls 12058->12060 12059->12058 12060->12050 12062 6c3984fd 12061->12062 12063 6c3984de 12061->12063 12062->12017 12063->12062 12067 6c39a436 12063->12067 12066 6c395c47 _free 14 API calls 12066->12062 12068 6c3984f7 12067->12068 12069 6c39a447 12067->12069 12068->12066 12103 6c39a3fe 12069->12103 12072 6c39a3fe __fassign 14 API calls 12073 6c39a45a 12072->12073 12074 6c39a3fe __fassign 14 API calls 12073->12074 12075 6c39a465 12074->12075 12076 6c39a3fe __fassign 14 API calls 12075->12076 12077 6c39a470 12076->12077 12078 6c39a3fe __fassign 14 API calls 12077->12078 12079 6c39a47e 12078->12079 12080 6c395c47 _free 14 API calls 12079->12080 12081 6c39a489 12080->12081 12082 6c395c47 _free 14 API calls 12081->12082 12083 6c39a494 12082->12083 12084 6c395c47 _free 14 API calls 12083->12084 12085 6c39a49f 12084->12085 12086 6c39a3fe __fassign 14 API calls 12085->12086 12087 6c39a4ad 12086->12087 12088 6c39a3fe __fassign 14 API calls 12087->12088 12089 6c39a4bb 12088->12089 12090 6c39a3fe __fassign 14 API calls 12089->12090 12091 6c39a4cc 12090->12091 12092 6c39a3fe __fassign 14 API calls 12091->12092 12093 6c39a4da 12092->12093 12094 6c39a3fe __fassign 14 API calls 12093->12094 12095 6c39a4e8 12094->12095 12096 6c395c47 _free 14 API calls 12095->12096 12097 6c39a4f3 12096->12097 12098 6c395c47 _free 14 API calls 12097->12098 12099 6c39a4fe 12098->12099 12100 6c395c47 _free 14 API calls 12099->12100 12101 6c39a509 12100->12101 12102 6c395c47 _free 14 API calls 12101->12102 12102->12068 12104 6c39a431 12103->12104 12105 6c39a421 12103->12105 12104->12072 12105->12104 12106 6c395c47 _free 14 API calls 12105->12106 12106->12105 12107->11992 12616 6c3922de 12619 6c392aef 12616->12619 12618 6c3922f3 12620 6c392afc 12619->12620 12621 6c392b03 12619->12621 12622 6c39469e ___std_exception_copy 14 API calls 12620->12622 12621->12618 12622->12621 12623 6c38cc10 12625 6c38cc6b 12623->12625 12624 6c38d59f 12626 6c391560 _ValidateLocalCookies 5 API calls 12624->12626 12625->12624 12628 6c38e4d0 19 API calls 12625->12628 12627 6c38d5af 12626->12627 12628->12625 12629 6c389ad0 12634 6c389b2b 12629->12634 12630 6c389e00 std::bad_exception::bad_exception 25 API calls 12631 6c389dbd 12630->12631 12632 6c391560 _ValidateLocalCookies 5 API calls 12631->12632 12633 6c389dd8 12632->12633 12634->12630 12635 6c3922b2 12636 6c389e00 std::bad_exception::bad_exception 25 API calls 12635->12636 12637 6c3922c0 12636->12637 12638 6c394b55 12639 6c394b6c 12638->12639 12649 6c394b65 12638->12649 12640 6c394b8d 12639->12640 12642 6c394b77 12639->12642 12665 6c396c88 12640->12665 12643 6c395d2b _free 14 API calls 12642->12643 12645 6c394b7c 12643->12645 12662 6c394508 12645->12662 12654 6c394bfd 12657 6c394c8b 37 API calls 12654->12657 12655 6c394bf1 12656 6c395d2b _free 14 API calls 12655->12656 12661 6c394bf6 12656->12661 12659 6c394c15 12657->12659 12658 6c395c47 _free 14 API calls 12658->12649 12660 6c395c47 _free 14 API calls 12659->12660 12659->12661 12660->12661 12661->12658 12693 6c3944a4 12662->12693 12664 6c394514 12664->12649 12666 6c396c91 12665->12666 12670 6c394b93 12665->12670 12711 6c3959c4 12666->12711 12671 6c3966cf GetModuleFileNameW 12670->12671 12672 6c39670f 12671->12672 12673 6c3966fe GetLastError 12671->12673 13050 6c396448 12672->13050 13045 6c395cf5 12673->13045 12676 6c39670a 12679 6c391560 _ValidateLocalCookies 5 API calls 12676->12679 12680 6c394ba6 12679->12680 12681 6c394c8b 12680->12681 12683 6c394cb0 12681->12683 12685 6c394d10 12683->12685 13089 6c396fae 12683->13089 12684 6c394bdb 12687 6c394dff 12684->12687 12685->12684 12686 6c396fae 37 API calls 12685->12686 12686->12685 12688 6c394be8 12687->12688 12689 6c394e10 12687->12689 12688->12654 12688->12655 12689->12688 12690 6c395d3e __dosmaperr 14 API calls 12689->12690 12691 6c394e39 12690->12691 12692 6c395c47 _free 14 API calls 12691->12692 12692->12688 12694 6c395a5e __dosmaperr 14 API calls 12693->12694 12695 6c3944af 12694->12695 12696 6c3944bd 12695->12696 12701 6c394535 IsProcessorFeaturePresent 12695->12701 12696->12664 12698 6c394507 12699 6c3944a4 ___std_exception_copy 25 API calls 12698->12699 12700 6c394514 12699->12700 12700->12664 12702 6c394541 12701->12702 12705 6c39435c 12702->12705 12706 6c394378 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12705->12706 12707 6c3943a4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12706->12707 12710 6c394475 __DllMainCRTStartup@12 12707->12710 12708 6c391560 _ValidateLocalCookies 5 API calls 12709 6c394493 GetCurrentProcess TerminateProcess 12708->12709 12709->12698 12710->12708 12712 6c3959cf 12711->12712 12715 6c3959d5 12711->12715 12713 6c3974af __dosmaperr 6 API calls 12712->12713 12713->12715 12714 6c3974ee __dosmaperr 6 API calls 12716 6c3959ef 12714->12716 12715->12714 12735 6c3959db 12715->12735 12718 6c395d3e __dosmaperr 14 API calls 12716->12718 12716->12735 12720 6c3959ff 12718->12720 12721 6c395a1c 12720->12721 12722 6c395a07 12720->12722 12725 6c3974ee __dosmaperr 6 API calls 12721->12725 12724 6c3974ee __dosmaperr 6 API calls 12722->12724 12723 6c395a54 12736 6c396ad4 12723->12736 12726 6c395a13 12724->12726 12727 6c395a28 12725->12727 12730 6c395c47 _free 14 API calls 12726->12730 12728 6c395a3b 12727->12728 12729 6c395a2c 12727->12729 12732 6c395709 __dosmaperr 14 API calls 12728->12732 12731 6c3974ee __dosmaperr 6 API calls 12729->12731 12730->12735 12731->12726 12733 6c395a46 12732->12733 12734 6c395c47 _free 14 API calls 12733->12734 12734->12735 12735->12723 12755 6c3953eb 12735->12755 12844 6c396be8 12736->12844 12766 6c3979e2 12755->12766 12759 6c395405 IsProcessorFeaturePresent 12762 6c395411 12759->12762 12760 6c395424 12796 6c394b38 12760->12796 12761 6c3953fb 12761->12759 12761->12760 12765 6c39435c __fassign 8 API calls 12762->12765 12765->12760 12799 6c397914 12766->12799 12769 6c397a27 12770 6c397a33 ___scrt_is_nonwritable_in_current_image 12769->12770 12771 6c395a5e __dosmaperr 14 API calls 12770->12771 12776 6c397a60 __fassign 12770->12776 12777 6c397a5a __fassign 12770->12777 12771->12777 12772 6c397aa7 12774 6c395d2b _free 14 API calls 12772->12774 12773 6c397a91 12773->12761 12775 6c397aac 12774->12775 12778 6c394508 ___std_exception_copy 25 API calls 12775->12778 12779 6c397ad3 12776->12779 12810 6c395b9a EnterCriticalSection 12776->12810 12777->12772 12777->12773 12777->12776 12778->12773 12782 6c397b15 12779->12782 12783 6c397c06 12779->12783 12793 6c397b44 12779->12793 12782->12793 12811 6c395907 GetLastError 12782->12811 12788 6c397c11 12783->12788 12842 6c395be2 LeaveCriticalSection 12783->12842 12786 6c394b38 __fassign 23 API calls 12789 6c397c19 12786->12789 12788->12786 12789->12761 12790 6c395907 __fassign 37 API calls 12794 6c397b99 12790->12794 12792 6c395907 __fassign 37 API calls 12792->12793 12838 6c397bb3 12793->12838 12794->12773 12795 6c395907 __fassign 37 API calls 12794->12795 12795->12773 12797 6c3949de __DllMainCRTStartup@12 23 API calls 12796->12797 12798 6c394b49 12797->12798 12800 6c397920 ___scrt_is_nonwritable_in_current_image 12799->12800 12805 6c395b9a EnterCriticalSection 12800->12805 12802 6c39792e 12806 6c39796c 12802->12806 12805->12802 12809 6c395be2 LeaveCriticalSection 12806->12809 12808 6c3953f0 12808->12761 12808->12769 12809->12808 12810->12779 12812 6c395924 12811->12812 12813 6c39591e 12811->12813 12815 6c3974ee __dosmaperr 6 API calls 12812->12815 12835 6c39592a SetLastError 12812->12835 12814 6c3974af __dosmaperr 6 API calls 12813->12814 12814->12812 12816 6c395942 12815->12816 12817 6c395d3e __dosmaperr 14 API calls 12816->12817 12816->12835 12819 6c395952 12817->12819 12822 6c39595a 12819->12822 12823 6c395971 12819->12823 12820 6c3959b8 12820->12792 12821 6c3959be 12824 6c3953eb __fassign 35 API calls 12821->12824 12826 6c3974ee __dosmaperr 6 API calls 12822->12826 12825 6c3974ee __dosmaperr 6 API calls 12823->12825 12827 6c3959c3 12824->12827 12828 6c39597d 12825->12828 12829 6c395968 12826->12829 12830 6c395981 12828->12830 12831 6c395992 12828->12831 12832 6c395c47 _free 14 API calls 12829->12832 12833 6c3974ee __dosmaperr 6 API calls 12830->12833 12834 6c395709 __dosmaperr 14 API calls 12831->12834 12832->12835 12833->12829 12836 6c39599d 12834->12836 12835->12820 12835->12821 12837 6c395c47 _free 14 API calls 12836->12837 12837->12835 12839 6c397bb9 12838->12839 12840 6c397b8a 12838->12840 12843 6c395be2 LeaveCriticalSection 12839->12843 12840->12773 12840->12790 12840->12794 12842->12788 12843->12840 12845 6c396bf4 ___scrt_is_nonwritable_in_current_image 12844->12845 12851 6c396c0e 12845->12851 12888 6c395b9a EnterCriticalSection 12845->12888 12847 6c396c1e 12853 6c395c47 _free 14 API calls 12847->12853 12854 6c396c4a 12847->12854 12849 6c3953eb __fassign 37 API calls 12852 6c396c87 12849->12852 12850 6c396ae7 12855 6c39687e 12850->12855 12851->12849 12851->12850 12853->12854 12889 6c396c67 12854->12889 12893 6c39542f 12855->12893 12888->12847 12892 6c395be2 LeaveCriticalSection 12889->12892 12891 6c396c6e 12891->12851 12892->12891 12894 6c39544f 12893->12894 12895 6c395907 __fassign 37 API calls 12894->12895 12896 6c39546f 12895->12896 12900 6c39819e 12896->12900 12901 6c395485 12900->12901 12902 6c3981b1 12900->12902 12904 6c3981cb 12901->12904 12902->12901 12908 6c3985ac 12902->12908 12905 6c3981de 12904->12905 12907 6c3981f3 12904->12907 12905->12907 12930 6c396cd0 12905->12930 12909 6c3985b8 ___scrt_is_nonwritable_in_current_image 12908->12909 12910 6c395907 __fassign 37 API calls 12909->12910 12911 6c3985c1 12910->12911 12913 6c398607 12911->12913 12921 6c395b9a EnterCriticalSection 12911->12921 12913->12901 12914 6c3985df 12922 6c39862d 12914->12922 12919 6c3953eb __fassign 37 API calls 12920 6c39862c 12919->12920 12921->12914 12923 6c39863b __fassign 12922->12923 12925 6c3985f0 12922->12925 12924 6c398360 __fassign 14 API calls 12923->12924 12923->12925 12924->12925 12926 6c39860c 12925->12926 12929 6c395be2 LeaveCriticalSection 12926->12929 12928 6c398603 12928->12913 12928->12919 12929->12928 12931 6c395907 __fassign 37 API calls 12930->12931 12932 6c396cda 12931->12932 12933 6c396be8 __fassign 37 API calls 12932->12933 12934 6c396ce0 12933->12934 12934->12907 13076 6c395d18 13045->13076 13047 6c395d00 _free 13048 6c395d2b _free 14 API calls 13047->13048 13049 6c395d13 13048->13049 13049->12676 13051 6c39542f __fassign 37 API calls 13050->13051 13052 6c39645a 13051->13052 13054 6c39646c 13052->13054 13079 6c397412 13052->13079 13055 6c3965cd 13054->13055 13056 6c3965e9 13055->13056 13072 6c3965da 13055->13072 13057 6c3965f1 13056->13057 13058 6c396616 13056->13058 13057->13072 13085 6c396694 13057->13085 13059 6c39705b ___scrt_uninitialize_crt WideCharToMultiByte 13058->13059 13060 6c396626 13059->13060 13062 6c39662d GetLastError 13060->13062 13063 6c396643 13060->13063 13064 6c395cf5 __dosmaperr 14 API calls 13062->13064 13065 6c396654 13063->13065 13067 6c396694 14 API calls 13063->13067 13066 6c396639 13064->13066 13068 6c39705b ___scrt_uninitialize_crt WideCharToMultiByte 13065->13068 13065->13072 13070 6c395d2b _free 14 API calls 13066->13070 13067->13065 13069 6c39666c 13068->13069 13071 6c396673 GetLastError 13069->13071 13069->13072 13070->13072 13073 6c395cf5 __dosmaperr 14 API calls 13071->13073 13072->12676 13074 6c39667f 13073->13074 13075 6c395d2b _free 14 API calls 13074->13075 13075->13072 13077 6c395a5e __dosmaperr 14 API calls 13076->13077 13078 6c395d1d 13077->13078 13078->13047 13082 6c39723a 13079->13082 13083 6c39734f __dosmaperr 5 API calls 13082->13083 13084 6c397250 13083->13084 13084->13054 13086 6c39669f 13085->13086 13087 6c395d2b _free 14 API calls 13086->13087 13088 6c3966a8 13087->13088 13088->13072 13092 6c396f57 13089->13092 13093 6c39542f __fassign 37 API calls 13092->13093 13094 6c396f6b 13093->13094 13094->12683 12108 6c391914 12109 6c39191d 12108->12109 12110 6c391922 12108->12110 12129 6c391af8 12109->12129 12114 6c3917de 12110->12114 12115 6c3917ea ___scrt_is_nonwritable_in_current_image 12114->12115 12116 6c391813 dllmain_raw 12115->12116 12118 6c39180e 12115->12118 12126 6c3917f9 12115->12126 12117 6c39182d dllmain_crt_dispatch 12116->12117 12116->12126 12117->12118 12117->12126 12133 6c36c660 12118->12133 12121 6c39187f 12122 6c391888 dllmain_crt_dispatch 12121->12122 12121->12126 12124 6c39189b dllmain_raw 12122->12124 12122->12126 12123 6c36c660 __DllMainCRTStartup@12 5 API calls 12125 6c391866 12123->12125 12124->12126 12137 6c39172e 12125->12137 12128 6c391874 dllmain_raw 12128->12121 12130 6c391b0e 12129->12130 12132 6c391b17 12130->12132 12387 6c391aab GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12130->12387 12132->12110 12135 6c36c6bc 12133->12135 12134 6c391560 _ValidateLocalCookies 5 API calls 12136 6c36d73a 12134->12136 12135->12134 12136->12121 12136->12123 12139 6c39173a ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12137->12139 12138 6c391743 12138->12128 12139->12138 12140 6c39176b 12139->12140 12141 6c3917d6 12139->12141 12164 6c391c93 12140->12164 12185 6c391e62 IsProcessorFeaturePresent 12141->12185 12144 6c391770 12173 6c391b4f 12144->12173 12146 6c3917dd ___scrt_is_nonwritable_in_current_image 12147 6c391813 dllmain_raw 12146->12147 12150 6c39180e 12146->12150 12161 6c3917f9 12146->12161 12149 6c39182d dllmain_crt_dispatch 12147->12149 12147->12161 12148 6c391775 __RTC_Initialize __DllMainCRTStartup@12 12176 6c391e34 12148->12176 12149->12150 12149->12161 12153 6c36c660 __DllMainCRTStartup@12 5 API calls 12150->12153 12155 6c39184e 12153->12155 12156 6c39187f 12155->12156 12158 6c36c660 __DllMainCRTStartup@12 5 API calls 12155->12158 12157 6c391888 dllmain_crt_dispatch 12156->12157 12156->12161 12159 6c39189b dllmain_raw 12157->12159 12157->12161 12160 6c391866 12158->12160 12159->12161 12162 6c39172e __DllMainCRTStartup@12 79 API calls 12160->12162 12161->12128 12163 6c391874 dllmain_raw 12162->12163 12163->12156 12165 6c391c98 ___scrt_release_startup_lock 12164->12165 12166 6c391c9c 12165->12166 12168 6c391ca8 __DllMainCRTStartup@12 12165->12168 12189 6c39517b 12166->12189 12170 6c391cb5 12168->12170 12192 6c3949de 12168->12192 12170->12144 12259 6c393bbe InterlockedFlushSList 12173->12259 12177 6c391e40 12176->12177 12178 6c391794 12177->12178 12266 6c395313 12177->12266 12182 6c3917d0 12178->12182 12180 6c391e4e 12271 6c393c16 12180->12271 12370 6c391cb6 12182->12370 12186 6c391e78 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12185->12186 12187 6c391f23 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12186->12187 12188 6c391f6e __DllMainCRTStartup@12 12187->12188 12188->12146 12203 6c395046 12189->12203 12193 6c3949ec 12192->12193 12194 6c3949fd 12192->12194 12220 6c394a84 GetModuleHandleW 12193->12220 12227 6c3948a4 12194->12227 12199 6c394a37 12199->12144 12204 6c395052 ___scrt_is_nonwritable_in_current_image 12203->12204 12211 6c395b9a EnterCriticalSection 12204->12211 12206 6c395060 12212 6c3950a1 12206->12212 12211->12206 12213 6c3950c0 12212->12213 12215 6c39506d 12212->12215 12214 6c395c47 _free 14 API calls 12213->12214 12213->12215 12214->12215 12216 6c395095 12215->12216 12219 6c395be2 LeaveCriticalSection 12216->12219 12218 6c391ca6 12218->12144 12219->12218 12221 6c3949f1 12220->12221 12221->12194 12222 6c394ac7 GetModuleHandleExW 12221->12222 12223 6c394ae6 GetProcAddress 12222->12223 12226 6c394afb 12222->12226 12223->12226 12224 6c394b18 12224->12194 12225 6c394b0f FreeLibrary 12225->12224 12226->12224 12226->12225 12228 6c3948b0 ___scrt_is_nonwritable_in_current_image 12227->12228 12243 6c395b9a EnterCriticalSection 12228->12243 12230 6c3948ba 12244 6c3948f1 12230->12244 12232 6c3948c7 12248 6c3948e5 12232->12248 12235 6c394a42 12252 6c395c81 GetPEB 12235->12252 12238 6c394a71 12241 6c394ac7 __DllMainCRTStartup@12 3 API calls 12238->12241 12239 6c394a51 GetPEB 12239->12238 12240 6c394a61 GetCurrentProcess TerminateProcess 12239->12240 12240->12238 12242 6c394a79 ExitProcess 12241->12242 12243->12230 12245 6c3948fd ___scrt_is_nonwritable_in_current_image 12244->12245 12246 6c39517b __DllMainCRTStartup@12 14 API calls 12245->12246 12247 6c39495e __DllMainCRTStartup@12 12245->12247 12246->12247 12247->12232 12251 6c395be2 LeaveCriticalSection 12248->12251 12250 6c3948d3 12250->12199 12250->12235 12251->12250 12253 6c395c9b 12252->12253 12255 6c394a4c 12252->12255 12256 6c3973d2 12253->12256 12255->12238 12255->12239 12257 6c39734f __dosmaperr 5 API calls 12256->12257 12258 6c3973ee 12257->12258 12258->12255 12260 6c391b59 12259->12260 12261 6c393bce 12259->12261 12260->12148 12261->12260 12263 6c39469e 12261->12263 12264 6c395c47 _free 14 API calls 12263->12264 12265 6c3946b6 12264->12265 12265->12261 12267 6c39531e 12266->12267 12269 6c395330 ___scrt_uninitialize_crt 12266->12269 12268 6c39532c 12267->12268 12277 6c397efd 12267->12277 12268->12180 12269->12180 12272 6c393c29 12271->12272 12273 6c393c1f 12271->12273 12272->12178 12343 6c393fff 12273->12343 12280 6c397dab 12277->12280 12283 6c397cff 12280->12283 12284 6c397d0b ___scrt_is_nonwritable_in_current_image 12283->12284 12291 6c395b9a EnterCriticalSection 12284->12291 12286 6c397d15 ___scrt_uninitialize_crt 12287 6c397d81 12286->12287 12292 6c397c73 12286->12292 12300 6c397d9f 12287->12300 12291->12286 12293 6c397c7f ___scrt_is_nonwritable_in_current_image 12292->12293 12303 6c39801a EnterCriticalSection 12293->12303 12295 6c397c89 ___scrt_uninitialize_crt 12296 6c397cc2 12295->12296 12304 6c397eb5 12295->12304 12314 6c397cf3 12296->12314 12342 6c395be2 LeaveCriticalSection 12300->12342 12302 6c397d8d 12302->12268 12303->12295 12305 6c397ecb 12304->12305 12306 6c397ec2 12304->12306 12317 6c397e50 12305->12317 12307 6c397dab ___scrt_uninitialize_crt 66 API calls 12306->12307 12313 6c397ec8 12307->12313 12311 6c397ee7 12330 6c3994d2 12311->12330 12313->12296 12341 6c39802e LeaveCriticalSection 12314->12341 12316 6c397ce1 12316->12286 12318 6c397e68 12317->12318 12319 6c397e8d 12317->12319 12318->12319 12320 6c3981f8 ___scrt_uninitialize_crt 25 API calls 12318->12320 12319->12313 12323 6c3981f8 12319->12323 12321 6c397e86 12320->12321 12322 6c399cca ___scrt_uninitialize_crt 62 API calls 12321->12322 12322->12319 12324 6c398219 12323->12324 12325 6c398204 12323->12325 12324->12311 12326 6c395d2b _free 14 API calls 12325->12326 12327 6c398209 12326->12327 12328 6c394508 ___std_exception_copy 25 API calls 12327->12328 12329 6c398214 12328->12329 12329->12311 12331 6c3994e3 12330->12331 12334 6c3994f0 12330->12334 12332 6c395d2b _free 14 API calls 12331->12332 12340 6c3994e8 12332->12340 12333 6c399539 12335 6c395d2b _free 14 API calls 12333->12335 12334->12333 12337 6c399517 12334->12337 12336 6c39953e 12335->12336 12338 6c394508 ___std_exception_copy 25 API calls 12336->12338 12339 6c399430 ___scrt_uninitialize_crt 29 API calls 12337->12339 12338->12340 12339->12340 12340->12313 12341->12316 12342->12302 12344 6c394009 12343->12344 12345 6c393c24 12343->12345 12351 6c3941d1 12344->12351 12347 6c394056 12345->12347 12348 6c394080 12347->12348 12349 6c394061 12347->12349 12348->12272 12350 6c39406b DeleteCriticalSection 12349->12350 12350->12348 12350->12350 12356 6c39414d 12351->12356 12354 6c394203 TlsFree 12355 6c3941f7 12354->12355 12355->12345 12357 6c394165 12356->12357 12361 6c394188 12356->12361 12357->12361 12362 6c3940b3 12357->12362 12360 6c39417a GetProcAddress 12360->12361 12361->12354 12361->12355 12363 6c3940bf ___vcrt_FlsSetValue 12362->12363 12364 6c394133 12363->12364 12365 6c3940d5 LoadLibraryExW 12363->12365 12369 6c394115 LoadLibraryExW 12363->12369 12364->12360 12364->12361 12366 6c39413a 12365->12366 12367 6c3940f3 GetLastError 12365->12367 12366->12364 12368 6c394142 FreeLibrary 12366->12368 12367->12363 12368->12364 12369->12363 12369->12366 12375 6c395343 12370->12375 12373 6c393fff ___vcrt_uninitialize_ptd 6 API calls 12374 6c3917d5 12373->12374 12374->12138 12378 6c395b3f 12375->12378 12379 6c395b49 12378->12379 12380 6c391cbd 12378->12380 12382 6c397470 12379->12382 12380->12373 12383 6c39734f __dosmaperr 5 API calls 12382->12383 12384 6c39748c 12383->12384 12385 6c397495 12384->12385 12386 6c3974a7 TlsFree 12384->12386 12385->12380 12387->12132 12388 6c3915d4 12389 6c3915df 12388->12389 12390 6c391612 12388->12390 12392 6c391604 12389->12392 12393 6c3915e4 12389->12393 12391 6c39172e __DllMainCRTStartup@12 84 API calls 12390->12391 12399 6c3915ee 12391->12399 12400 6c391627 12392->12400 12395 6c3915e9 12393->12395 12396 6c3915fa 12393->12396 12395->12399 12414 6c391c52 12395->12414 12419 6c391c33 12396->12419 12401 6c391633 ___scrt_is_nonwritable_in_current_image 12400->12401 12427 6c391cc3 12401->12427 12403 6c39163a __DllMainCRTStartup@12 12404 6c391661 12403->12404 12405 6c391726 12403->12405 12411 6c39169d ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12403->12411 12435 6c391c25 12404->12435 12407 6c391e62 __DllMainCRTStartup@12 4 API calls 12405->12407 12408 6c39172d 12407->12408 12409 6c391670 __RTC_Initialize 12409->12411 12438 6c391b43 InitializeSListHead 12409->12438 12411->12399 12412 6c39167e 12412->12411 12439 6c391bfa 12412->12439 12488 6c39530b 12414->12488 12577 6c393c00 12419->12577 12422 6c391c3c 12422->12399 12425 6c391c4f 12425->12399 12426 6c393c0b 21 API calls 12426->12422 12428 6c391ccc 12427->12428 12443 6c392038 IsProcessorFeaturePresent 12428->12443 12432 6c391cdd 12433 6c391ce1 12432->12433 12434 6c393c16 ___scrt_uninitialize_crt 7 API calls 12432->12434 12433->12403 12434->12433 12482 6c391cfc 12435->12482 12437 6c391c2c 12437->12409 12438->12412 12440 6c391bff ___scrt_release_startup_lock 12439->12440 12441 6c391c08 12440->12441 12442 6c392038 IsProcessorFeaturePresent 12440->12442 12441->12411 12442->12441 12444 6c391cd8 12443->12444 12445 6c393be1 12444->12445 12453 6c39401a 12445->12453 12447 6c393bea 12447->12432 12450 6c393bf2 12451 6c393bfd 12450->12451 12452 6c394056 ___vcrt_uninitialize_locks DeleteCriticalSection 12450->12452 12451->12432 12452->12447 12454 6c394023 12453->12454 12456 6c39404c 12454->12456 12457 6c393be6 12454->12457 12467 6c394285 12454->12467 12458 6c394056 ___vcrt_uninitialize_locks DeleteCriticalSection 12456->12458 12457->12447 12459 6c393fc9 12457->12459 12458->12457 12472 6c394196 12459->12472 12463 6c393ff9 12463->12450 12465 6c393fff ___vcrt_uninitialize_ptd 6 API calls 12466 6c393fde 12465->12466 12466->12450 12468 6c39414d ___vcrt_FlsSetValue 5 API calls 12467->12468 12469 6c39429f 12468->12469 12470 6c3942bd InitializeCriticalSectionAndSpinCount 12469->12470 12471 6c3942a8 12469->12471 12470->12471 12471->12454 12473 6c39414d ___vcrt_FlsSetValue 5 API calls 12472->12473 12474 6c3941b0 12473->12474 12475 6c3941c9 TlsAlloc 12474->12475 12476 6c393fd3 12474->12476 12476->12466 12477 6c394247 12476->12477 12478 6c39414d ___vcrt_FlsSetValue 5 API calls 12477->12478 12479 6c394261 12478->12479 12480 6c39427c TlsSetValue 12479->12480 12481 6c393fec 12479->12481 12480->12481 12481->12463 12481->12465 12483 6c391d08 12482->12483 12484 6c391d0c 12482->12484 12483->12437 12485 6c391e62 __DllMainCRTStartup@12 4 API calls 12484->12485 12487 6c391d19 ___scrt_release_startup_lock 12484->12487 12486 6c391d82 12485->12486 12487->12437 12494 6c3958db 12488->12494 12491 6c393c0b 12560 6c393ef3 12491->12560 12495 6c3958e5 12494->12495 12496 6c391c57 12494->12496 12497 6c3974af __dosmaperr 6 API calls 12495->12497 12496->12491 12498 6c3958ec 12497->12498 12498->12496 12499 6c3974ee __dosmaperr 6 API calls 12498->12499 12500 6c3958ff 12499->12500 12502 6c3957a2 12500->12502 12503 6c3957ad 12502->12503 12504 6c3957bd 12502->12504 12508 6c3957c3 12503->12508 12504->12496 12507 6c395c47 _free 14 API calls 12507->12504 12509 6c3957d8 12508->12509 12510 6c3957de 12508->12510 12511 6c395c47 _free 14 API calls 12509->12511 12512 6c395c47 _free 14 API calls 12510->12512 12511->12510 12513 6c3957ea 12512->12513 12514 6c395c47 _free 14 API calls 12513->12514 12515 6c3957f5 12514->12515 12516 6c395c47 _free 14 API calls 12515->12516 12517 6c395800 12516->12517 12518 6c395c47 _free 14 API calls 12517->12518 12519 6c39580b 12518->12519 12520 6c395c47 _free 14 API calls 12519->12520 12521 6c395816 12520->12521 12522 6c395c47 _free 14 API calls 12521->12522 12523 6c395821 12522->12523 12524 6c395c47 _free 14 API calls 12523->12524 12525 6c39582c 12524->12525 12526 6c395c47 _free 14 API calls 12525->12526 12527 6c395837 12526->12527 12528 6c395c47 _free 14 API calls 12527->12528 12529 6c395845 12528->12529 12534 6c3955ef 12529->12534 12535 6c3955fb ___scrt_is_nonwritable_in_current_image 12534->12535 12550 6c395b9a EnterCriticalSection 12535->12550 12537 6c39562f 12551 6c39564e 12537->12551 12539 6c395605 12539->12537 12541 6c395c47 _free 14 API calls 12539->12541 12541->12537 12542 6c39565a 12543 6c395666 ___scrt_is_nonwritable_in_current_image 12542->12543 12555 6c395b9a EnterCriticalSection 12543->12555 12545 6c395670 12546 6c395890 __dosmaperr 14 API calls 12545->12546 12547 6c395683 12546->12547 12556 6c3956a3 12547->12556 12550->12539 12554 6c395be2 LeaveCriticalSection 12551->12554 12553 6c39563c 12553->12542 12554->12553 12555->12545 12559 6c395be2 LeaveCriticalSection 12556->12559 12558 6c395691 12558->12507 12559->12558 12561 6c393f00 12560->12561 12567 6c391c5c 12560->12567 12562 6c393f0e 12561->12562 12568 6c39420c 12561->12568 12564 6c394247 ___vcrt_FlsSetValue 6 API calls 12562->12564 12565 6c393f1e 12564->12565 12573 6c393ed7 12565->12573 12567->12399 12569 6c39414d ___vcrt_FlsSetValue 5 API calls 12568->12569 12570 6c394226 12569->12570 12571 6c39423e TlsGetValue 12570->12571 12572 6c394232 12570->12572 12571->12572 12572->12562 12574 6c393eee 12573->12574 12575 6c393ee1 12573->12575 12574->12567 12575->12574 12576 6c39469e ___std_exception_copy 14 API calls 12575->12576 12576->12574 12583 6c393f37 12577->12583 12579 6c391c38 12579->12422 12580 6c395300 12579->12580 12581 6c395a5e __dosmaperr 14 API calls 12580->12581 12582 6c391c44 12581->12582 12582->12425 12582->12426 12584 6c393f40 12583->12584 12585 6c393f43 GetLastError 12583->12585 12584->12579 12586 6c39420c ___vcrt_FlsGetValue 6 API calls 12585->12586 12587 6c393f58 12586->12587 12588 6c393fbd SetLastError 12587->12588 12589 6c394247 ___vcrt_FlsSetValue 6 API calls 12587->12589 12596 6c393f77 12587->12596 12588->12579 12590 6c393f71 12589->12590 12591 6c393f99 12590->12591 12592 6c394247 ___vcrt_FlsSetValue 6 API calls 12590->12592 12590->12596 12593 6c394247 ___vcrt_FlsSetValue 6 API calls 12591->12593 12594 6c393fad 12591->12594 12592->12591 12593->12594 12595 6c39469e ___std_exception_copy 14 API calls 12594->12595 12595->12596 12596->12588 13095 6c394eac 13096 6c394ec1 13095->13096 13097 6c395d3e __dosmaperr 14 API calls 13096->13097 13108 6c394ee8 13097->13108 13098 6c394f4d 13099 6c395c47 _free 14 API calls 13098->13099 13100 6c394f67 13099->13100 13101 6c395d3e __dosmaperr 14 API calls 13101->13108 13102 6c394f4f 13121 6c394f7c 13102->13121 13106 6c395c47 _free 14 API calls 13106->13098 13107 6c394f6f 13109 6c394535 ___std_exception_copy 11 API calls 13107->13109 13108->13098 13108->13101 13108->13102 13108->13107 13110 6c395c47 _free 14 API calls 13108->13110 13112 6c395391 13108->13112 13111 6c394f7b 13109->13111 13110->13108 13113 6c3953ac 13112->13113 13114 6c39539e 13112->13114 13115 6c395d2b _free 14 API calls 13113->13115 13114->13113 13116 6c3953c3 13114->13116 13120 6c3953b4 13115->13120 13118 6c3953be 13116->13118 13119 6c395d2b _free 14 API calls 13116->13119 13117 6c394508 ___std_exception_copy 25 API calls 13117->13118 13118->13108 13119->13120 13120->13117 13125 6c394f89 13121->13125 13126 6c394f55 13121->13126 13122 6c394fa0 13124 6c395c47 _free 14 API calls 13122->13124 13123 6c395c47 _free 14 API calls 13123->13125 13124->13126 13125->13122 13125->13123 13126->13106 13127 6c35d140 13132 6c35d195 13127->13132 13128 6c35da40 13129 6c391560 _ValidateLocalCookies 5 API calls 13128->13129 13130 6c35da50 13129->13130 13131 6c351010 26 API calls 13131->13132 13132->13128 13132->13131 13133 6c36d9a0 26 API calls 13132->13133 13134 6c36df60 25 API calls 13132->13134 13137 6c355830 13132->13137 13143 6c358650 13132->13143 13133->13132 13134->13132 13139 6c3558ae 13137->13139 13138 6c36d9a0 26 API calls 13138->13139 13139->13138 13140 6c3561ad 13139->13140 13141 6c391560 _ValidateLocalCookies 5 API calls 13140->13141 13142 6c3561b7 13141->13142 13142->13132 13144 6c358671 13143->13144 13145 6c391560 _ValidateLocalCookies 5 API calls 13144->13145 13146 6c3587e1 13145->13146 13146->13132 11793 6c364500 11828 6c364520 std::bad_exception::bad_exception 11793->11828 11794 6c36b926 NtReadVirtualMemory 11794->11828 11795 6c36bffc NtWriteVirtualMemory 11795->11828 11796 6c36800b NtWriteVirtualMemory 11796->11828 11797 6c36bdb9 NtSetContextThread NtResumeThread 11797->11828 11798 6c36b2ba NtGetContextThread 11798->11828 11799 6c36c4ed NtSetContextThread NtResumeThread 11799->11828 11800 6c36be16 CloseHandle 11800->11828 11801 6c36b181 CloseHandle 11801->11828 11802 6c367041 NtAllocateVirtualMemory 11802->11828 11803 6c366903 VirtualAlloc 11803->11828 11804 6c36ae08 NtSetContextThread NtResumeThread 11804->11828 11805 6c3695f3 NtReadVirtualMemory 11805->11828 11806 6c36bee7 NtAllocateVirtualMemory 11806->11828 11807 6c366e1d CreateProcessW 11807->11828 11808 6c36c570 NtGetContextThread 11808->11828 11809 6c36a05a NtWriteVirtualMemory 11809->11828 11810 6c36bf2f NtWriteVirtualMemory 11810->11828 11811 6c367206 NtAllocateVirtualMemory 11811->11828 11812 6c366f4f NtGetContextThread 11812->11828 11813 6c36b208 CreateProcessW 11813->11828 11814 6c369acd NtWriteVirtualMemory 11814->11828 11815 6c367383 NtWriteVirtualMemory 11815->11828 11816 6c36b0ed CloseHandle 11816->11828 11817 6c367aa2 NtWriteVirtualMemory 11817->11828 11819 6c36a866 NtCreateThreadEx 11819->11828 11820 6c36b340 NtWriteVirtualMemory 11820->11828 11821 6c36b1ae 11866 6c391560 11821->11866 11823 6c36b1b8 11824 6c36c274 NtReadVirtualMemory 11824->11828 11825 6c36c3f4 NtWriteVirtualMemory 11825->11828 11826 6c366544 GetConsoleWindow ShowWindow 11831 6c35df30 11826->11831 11828->11794 11828->11795 11828->11796 11828->11797 11828->11798 11828->11799 11828->11800 11828->11801 11828->11802 11828->11803 11828->11804 11828->11805 11828->11806 11828->11807 11828->11808 11828->11809 11828->11810 11828->11811 11828->11812 11828->11813 11828->11814 11828->11815 11828->11816 11828->11817 11828->11819 11828->11820 11828->11821 11828->11824 11828->11825 11828->11826 11829 6c35df30 26 API calls 11828->11829 11854 6c3636a0 11828->11854 11862 6c35dbe0 11828->11862 11829->11828 11839 6c35df8f ___scrt_uninitialize_crt std::bad_exception::bad_exception 11831->11839 11832 6c3610d2 CreateFileMappingA 11832->11839 11833 6c360e93 VirtualProtect 11833->11839 11834 6c361231 GetCurrentProcess 11834->11839 11835 6c35ee46 GetCurrentProcess 11835->11839 11836 6c35f1da K32GetModuleInformation 11836->11839 11837 6c35efc3 GetModuleHandleA 11837->11839 11838 6c35f414 GetModuleFileNameA CreateFileA 11838->11839 11839->11832 11839->11833 11839->11834 11839->11835 11839->11836 11839->11837 11839->11838 11840 6c361166 MapViewOfFile 11839->11840 11841 6c36094c CloseHandle 11839->11841 11842 6c35faf6 MapViewOfFile 11839->11842 11843 6c35f66a CreateFileMappingA 11839->11843 11844 6c35f8a1 CloseHandle 11839->11844 11845 6c3603d1 VirtualProtect 11839->11845 11846 6c361034 GetModuleFileNameA CreateFileA 11839->11846 11847 6c360284 VirtualProtect 11839->11847 11848 6c360a7d GetCurrentProcess 11839->11848 11849 6c36073b CloseHandle CloseHandle 11839->11849 11850 6c361139 CloseHandle 11839->11850 11851 6c360a0c 11839->11851 11840->11839 11841->11839 11842->11839 11843->11839 11844->11839 11845->11839 11846->11839 11847->11839 11848->11839 11849->11839 11850->11839 11852 6c391560 _ValidateLocalCookies 5 API calls 11851->11852 11853 6c360a16 11852->11853 11853->11828 11855 6c3636c0 std::bad_exception::bad_exception 11854->11855 11856 6c363af5 GetModuleHandleW 11855->11856 11858 6c363b48 NtQueryInformationProcess 11855->11858 11859 6c364279 11855->11859 11873 6c3612d0 11856->11873 11858->11855 11860 6c391560 _ValidateLocalCookies 5 API calls 11859->11860 11861 6c364289 11860->11861 11861->11828 11863 6c35dc3f 11862->11863 11864 6c391560 _ValidateLocalCookies 5 API calls 11863->11864 11865 6c35de2c 11864->11865 11865->11828 11867 6c391569 IsProcessorFeaturePresent 11866->11867 11868 6c391568 11866->11868 11870 6c391974 11867->11870 11868->11823 11877 6c391937 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11870->11877 11872 6c391a57 11872->11823 11874 6c361301 11873->11874 11875 6c391560 _ValidateLocalCookies 5 API calls 11874->11875 11876 6c3632bb 11875->11876 11876->11855 11877->11872 13147 6c36e880 13149 6c36e8a5 13147->13149 13148 6c38f000 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13148->13149 13149->13148 13150 6c36ee4c 13149->13150 13151 6c391560 _ValidateLocalCookies 5 API calls 13150->13151 13152 6c36ee61 13151->13152 13153 6c38d720 13154 6c38d77b 13153->13154 13155 6c38de83 13154->13155 13159 6c38dfb0 13154->13159 13156 6c391560 _ValidateLocalCookies 5 API calls 13155->13156 13157 6c38de93 13156->13157 13163 6c38e005 13159->13163 13160 6c38e462 13161 6c391560 _ValidateLocalCookies 5 API calls 13160->13161 13162 6c38e46c 13161->13162 13162->13154 13163->13160 13164 6c392aef 14 API calls ___std_exception_destroy 13163->13164 13164->13163 13165 6c393a60 13166 6c393a7e 13165->13166 13177 6c393a20 13166->13177 13178 6c393a3f 13177->13178 13179 6c393a32 13177->13179 13180 6c391560 _ValidateLocalCookies 5 API calls 13179->13180 13180->13178 13181 6c393de0 13182 6c393df2 13181->13182 13184 6c393e00 13181->13184 13183 6c391560 _ValidateLocalCookies 5 API calls 13182->13183 13183->13184 13185 6c393ce3 13186 6c393d1c 13185->13186 13187 6c393cec 13185->13187 13187->13186 13194 6c393f29 13187->13194 13190 6c393f29 47 API calls 13191 6c393d32 13190->13191 13208 6c395355 13191->13208 13195 6c393f37 23 API calls 13194->13195 13196 6c393f2e 13195->13196 13197 6c393d27 13196->13197 13198 6c3979e2 __fassign 2 API calls 13196->13198 13197->13190 13199 6c3953f0 13198->13199 13200 6c397a27 __fassign 37 API calls 13199->13200 13203 6c3953fb 13199->13203 13200->13203 13201 6c395405 IsProcessorFeaturePresent 13204 6c395411 13201->13204 13202 6c395424 13205 6c394b38 __fassign 23 API calls 13202->13205 13203->13201 13203->13202 13207 6c39435c __fassign 8 API calls 13204->13207 13206 6c39542e 13205->13206 13207->13202 13209 6c395361 ___scrt_is_nonwritable_in_current_image 13208->13209 13210 6c395907 __fassign 37 API calls 13209->13210 13213 6c395366 13210->13213 13211 6c3953eb __fassign 37 API calls 13212 6c395390 13211->13212 13213->13211

                                                                                                                          Executed Functions

                                                                                                                          Function 6C364500 Relevance: 102.9, APIs: 33, Strings: 21, Instructions: 8360nativethreadmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual$Memory$Thread$Write$Context$AllocateCloseCreateHandleResume$ProcessReadWindow$AllocConsoleShow
                                                                                                                          • String ID: +)8'$?9<$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$Oxr$kernel32.dll$ntdll.dll$s}f$s}f$v#da$v#da$M!$M!$m:6$wr:$wr:$5$5
                                                                                                                          • API String ID: 917754357-601631542
                                                                                                                          • Opcode ID: bdd78b8c89ad82667eb76da4b7c59472c96d7fa5606842a2d264428fbb8fc4a4
                                                                                                                          • Instruction ID: 1a845a8523534fe67b44f9f714e5706c4fc466ece5078428ff889cad8f4a450d
                                                                                                                          • Opcode Fuzzy Hash: bdd78b8c89ad82667eb76da4b7c59472c96d7fa5606842a2d264428fbb8fc4a4
                                                                                                                          • Instruction Fuzzy Hash: D3E34432B012108FDF18CE3CC9943DA77F6AB87318F249159D859DBB99C63A8A49CF45
                                                                                                                          Function 6C35DF30 Relevance: 50.7, APIs: 21, Strings: 6, Instructions: 3413filememoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Handle$Close$Module$Create$NameProtectViewVirtual$CurrentInformationMappingProcess
                                                                                                                          • String ID: %\?O$%\?O$?:})$?:})$@$Kl75
                                                                                                                          • API String ID: 779022125-696379178
                                                                                                                          • Opcode ID: eeb4e8de3aa3013f1ce9f1f11145b542a342d1b841eff25305f0556c2c57a647
                                                                                                                          • Instruction ID: 10b893871f1322b797b2b20b7c5b9576c38028c9bde38b9212fc35ae9538ed5c
                                                                                                                          • Opcode Fuzzy Hash: eeb4e8de3aa3013f1ce9f1f11145b542a342d1b841eff25305f0556c2c57a647
                                                                                                                          • Instruction Fuzzy Hash: C6432136B043118FCB54CE3CC8957DE7BF6AB4B358F208659D829DBB94C63A99498F01
                                                                                                                          Function 6C3636A0 Relevance: 9.7, APIs: 2, Strings: 3, Instructions: 972COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1595 6c3636a0-6c3636b9 1596 6c3636c0-6c3636cb 1595->1596 1597 6c363c56-6c363cc4 1596->1597 1598 6c3636d1-6c3636de 1596->1598 1600 6c3643dd 1597->1600 1601 6c3636e4-6c3636f1 1598->1601 1602 6c363deb-6c363dfb 1598->1602 1600->1596 1604 6c3636f7-6c363704 1601->1604 1605 6c363d82-6c363dcb 1601->1605 1602->1600 1607 6c36370a-6c363717 1604->1607 1608 6c363ae9-6c363af0 1604->1608 1605->1600 1610 6c363f22-6c363f63 1607->1610 1611 6c36371d-6c36372a 1607->1611 1608->1600 1610->1600 1613 6c363730-6c36373d 1611->1613 1614 6c363b9d-6c363c0b 1611->1614 1616 6c3643d6 1613->1616 1617 6c363743-6c363750 1613->1617 1614->1600 1616->1600 1619 6c363756-6c363763 1617->1619 1620 6c363dd0-6c363de6 1617->1620 1622 6c363af5-6c363b98 GetModuleHandleW call 6c3612d0 call 6c392340 NtQueryInformationProcess 1619->1622 1623 6c363769-6c363776 1619->1623 1620->1600 1622->1600 1627 6c36377c-6c363789 1623->1627 1628 6c363f0a-6c363f11 1623->1628 1632 6c36378f-6c36379c 1627->1632 1633 6c3643ca-6c3643d1 1627->1633 1628->1600 1635 6c3637a2-6c3637af 1632->1635 1636 6c3641fa-6c364268 1632->1636 1633->1600 1638 6c3637b5-6c3637c2 1635->1638 1639 6c364061-6c3640c7 1635->1639 1636->1600 1641 6c363c10-6c363c51 1638->1641 1642 6c3637c8-6c3637d5 1638->1642 1639->1600 1641->1600 1644 6c364381-6c364388 1642->1644 1645 6c3637db-6c3637e8 1642->1645 1644->1600 1647 6c364143-6c364184 1645->1647 1648 6c3637ee-6c3637fb 1645->1648 1647->1600 1650 6c363801-6c36380e 1648->1650 1651 6c363fee-6c36405c 1648->1651 1653 6c363814-6c363821 1650->1653 1654 6c364279-6c364293 call 6c391560 1650->1654 1651->1600 1658 6c363827-6c363834 1653->1658 1659 6c3639f9-6c363a0c 1653->1659 1661 6c363e91-6c363f05 1658->1661 1662 6c36383a-6c363847 1658->1662 1659->1600 1661->1600 1664 6c36384d-6c36385a 1662->1664 1665 6c363f68-6c363fdd 1662->1665 1667 6c363860-6c36386d 1664->1667 1668 6c363cc9-6c363d12 1664->1668 1665->1600 1670 6c363873-6c363880 1667->1670 1671 6c363a11-6c363a7f 1667->1671 1668->1600 1673 6c363886-6c363893 1670->1673 1674 6c363e00-6c363e0f 1670->1674 1671->1600 1676 6c36436d-6c36437c 1673->1676 1677 6c363899-6c3638a6 1673->1677 1674->1600 1676->1600 1679 6c364361-6c364368 1677->1679 1680 6c3638ac-6c3638b9 1677->1680 1679->1600 1682 6c363a84-6c363ae4 1680->1682 1683 6c3638bf-6c3638cc 1680->1683 1682->1600 1685 6c3638d2-6c3638df 1683->1685 1686 6c364399-6c3643a6 1683->1686 1688 6c363e26-6c363e8c 1685->1688 1689 6c3638e5-6c3638f2 1685->1689 1686->1600 1688->1600 1691 6c363e14-6c363e21 1689->1691 1692 6c3638f8-6c363905 1689->1692 1691->1600 1694 6c364355-6c36435c 1692->1694 1695 6c36390b-6c363918 1692->1695 1694->1600 1697 6c36391e-6c36392b 1695->1697 1698 6c3643ab-6c3643b9 1695->1698 1700 6c3642e2-6c364350 1697->1700 1701 6c363931-6c36393e 1697->1701 1698->1600 1700->1600 1703 6c364294-6c3642dd 1701->1703 1704 6c363944-6c363951 1701->1704 1703->1600 1706 6c363957-6c363964 1704->1706 1707 6c363fe2-6c363fe9 1704->1707 1709 6c363d17-6c363d7d 1706->1709 1710 6c36396a-6c363977 1706->1710 1707->1600 1709->1600 1712 6c36426d-6c364274 1710->1712 1713 6c36397d-6c36398a 1710->1713 1712->1600 1715 6c363990-6c36399d 1713->1715 1716 6c3640cc-6c3640d3 1713->1716 1718 6c3639a3-6c3639b0 1715->1718 1719 6c3643be-6c3643c5 1715->1719 1716->1600 1721 6c3639b6-6c3639c3 1718->1721 1722 6c36438d-6c364394 1718->1722 1719->1600 1724 6c363f16-6c363f1d 1721->1724 1725 6c3639c9-6c3639d6 1721->1725 1722->1600 1724->1600 1727 6c3639dc-6c3639e9 1725->1727 1728 6c3640d8-6c36413e 1725->1728 1730 6c3639ef-6c3639f4 1727->1730 1731 6c364189-6c3641f5 1727->1731 1728->1600 1730->1600 1731->1600
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ,y$NtQueryInformationProcess$ntdll.dll
                                                                                                                          • API String ID: 0-3905804498
                                                                                                                          • Opcode ID: 4de6dc5e399c29699412cb809d7aed8edaff9cdbe6716e20593cc061f3785985
                                                                                                                          • Instruction ID: 79a74ad6d52c942a5513714227df6c452335111b528bcd6fb0f3dcae0544372f
                                                                                                                          • Opcode Fuzzy Hash: 4de6dc5e399c29699412cb809d7aed8edaff9cdbe6716e20593cc061f3785985
                                                                                                                          • Instruction Fuzzy Hash: E6620476E442048FCF48CE7DD5E53DE7BF6AB46328F20951AD421DBB98C63A99098F10
                                                                                                                          Function 6C39172E Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1545 6c39172e-6c391741 call 6c391ff0 1548 6c391743-6c391745 1545->1548 1549 6c391747-6c391769 call 6c391bc8 1545->1549 1550 6c3917b0-6c3917bf 1548->1550 1553 6c39176b-6c3917ae call 6c391c93 call 6c391b4f call 6c391fb1 call 6c3917c3 call 6c391e34 call 6c3917d0 1549->1553 1554 6c3917d6-6c3917ef call 6c391e62 call 6c391ff0 1549->1554 1553->1550 1565 6c3917f1-6c3917f7 1554->1565 1566 6c391800-6c391807 1554->1566 1565->1566 1568 6c3917f9-6c3917fb 1565->1568 1569 6c391809-6c39180c 1566->1569 1570 6c391813-6c391827 dllmain_raw 1566->1570 1574 6c3918d9-6c3918e8 1568->1574 1569->1570 1575 6c39180e-6c391811 1569->1575 1572 6c39182d-6c39183e dllmain_crt_dispatch 1570->1572 1573 6c3918d0-6c3918d7 1570->1573 1572->1573 1577 6c391844-6c391856 call 6c36c660 1572->1577 1573->1574 1575->1577 1584 6c391858-6c39185a 1577->1584 1585 6c39187f-6c391881 1577->1585 1584->1585 1586 6c39185c-6c39187a call 6c36c660 call 6c39172e dllmain_raw 1584->1586 1587 6c391888-6c391899 dllmain_crt_dispatch 1585->1587 1588 6c391883-6c391886 1585->1588 1586->1585 1587->1573 1590 6c39189b-6c3918cd dllmain_raw 1587->1590 1588->1573 1588->1587 1590->1573
                                                                                                                          APIs
                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6C391775
                                                                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 6C39178F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2442719207-0
                                                                                                                          • Opcode ID: dda2728597f4e910efcd0cee65489032637196a0807bc8f4ad5e203864c3c109
                                                                                                                          • Instruction ID: 90739ecf061f98b376ccaafed6594d5994b4143aacf757f64c26e93d93c41d57
                                                                                                                          • Opcode Fuzzy Hash: dda2728597f4e910efcd0cee65489032637196a0807bc8f4ad5e203864c3c109
                                                                                                                          • Instruction Fuzzy Hash: 9B41E573E08219AADB219F96C800BDE7ABDEB457A8F104115E85477B40E771CD05EFA1
                                                                                                                          Function 6C3917DE Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1733 6c3917de-6c3917ef call 6c391ff0 1736 6c3917f1-6c3917f7 1733->1736 1737 6c391800-6c391807 1733->1737 1736->1737 1738 6c3917f9-6c3917fb 1736->1738 1739 6c391809-6c39180c 1737->1739 1740 6c391813-6c391827 dllmain_raw 1737->1740 1743 6c3918d9-6c3918e8 1738->1743 1739->1740 1744 6c39180e-6c391811 1739->1744 1741 6c39182d-6c39183e dllmain_crt_dispatch 1740->1741 1742 6c3918d0-6c3918d7 1740->1742 1741->1742 1745 6c391844-6c391856 call 6c36c660 1741->1745 1742->1743 1744->1745 1748 6c391858-6c39185a 1745->1748 1749 6c39187f-6c391881 1745->1749 1748->1749 1750 6c39185c-6c39187a call 6c36c660 call 6c39172e dllmain_raw 1748->1750 1751 6c391888-6c391899 dllmain_crt_dispatch 1749->1751 1752 6c391883-6c391886 1749->1752 1750->1749 1751->1742 1754 6c39189b-6c3918cd dllmain_raw 1751->1754 1752->1742 1752->1751 1754->1742
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3136044242-0
                                                                                                                          • Opcode ID: 7402f16baf38271ec03747cb8e1a2a518b85d42f4219e2b0b66d44873bd320de
                                                                                                                          • Instruction ID: b0af380e0f78ee882277fb5e0a21cade78b1eff7d1712c69ec8a3f546bda0f0e
                                                                                                                          • Opcode Fuzzy Hash: 7402f16baf38271ec03747cb8e1a2a518b85d42f4219e2b0b66d44873bd320de
                                                                                                                          • Instruction Fuzzy Hash: F921A173E09219AADB219F96C840AEF3A7DEB81A98F014125F81477A10E731CD01EFA1
                                                                                                                          Function 6C391627 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1759 6c391627-6c39163d call 6c391ff0 call 6c391cc3 1764 6c391643-6c39165b call 6c391bc8 1759->1764 1765 6c391714 1759->1765 1769 6c391661-6c391672 call 6c391c25 1764->1769 1770 6c391726-6c39172d call 6c391e62 1764->1770 1767 6c391716-6c391725 1765->1767 1775 6c3916c1-6c3916cf call 6c39170a 1769->1775 1776 6c391674-6c39168d call 6c391f85 call 6c391b43 call 6c391b67 call 6c3946fe 1769->1776 1775->1765 1781 6c3916d1-6c3916db call 6c391e5c 1775->1781 1793 6c391692-6c391696 1776->1793 1787 6c3916dd-6c3916e6 call 6c391d83 1781->1787 1788 6c3916fc-6c391705 1781->1788 1787->1788 1794 6c3916e8-6c3916fa 1787->1794 1788->1767 1793->1775 1795 6c391698-6c39169f call 6c391bfa 1793->1795 1794->1788 1795->1775 1799 6c3916a1-6c3916be call 6c3946b9 1795->1799 1799->1775
                                                                                                                          APIs
                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6C391674
                                                                                                                            • Part of subcall function 6C391B43: InitializeSListHead.KERNEL32(6C3ECA50,6C39167E,6C3A28C0,00000010,6C39160F,?,?,?,6C391837,?,00000001,?,?,00000001,?,6C3A2908), ref: 6C391B48
                                                                                                                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C3916DE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                          • String ID: 5 9l
                                                                                                                          • API String ID: 3231365870-2491167142
                                                                                                                          • Opcode ID: 5ff88312e1d7602bf1e4cd63d24299b072f05bc77eeb5aed45efc8487521175f
                                                                                                                          • Instruction ID: 0a7b225c989419f02f2a9518d1afeff4faf3d2afd2b377924cd894fc0bc40023
                                                                                                                          • Opcode Fuzzy Hash: 5ff88312e1d7602bf1e4cd63d24299b072f05bc77eeb5aed45efc8487521175f
                                                                                                                          • Instruction Fuzzy Hash: E7219D32A082069ADF40ABB4A4017DD3BB98B0636CF14041AD9D237F91FB76C149CEA6
                                                                                                                          Function 6C395D3E Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1802 6c395d3e-6c395d49 1803 6c395d4b-6c395d55 1802->1803 1804 6c395d57-6c395d5d 1802->1804 1803->1804 1805 6c395d8b-6c395d96 call 6c395d2b 1803->1805 1806 6c395d5f-6c395d60 1804->1806 1807 6c395d76-6c395d87 RtlAllocateHeap 1804->1807 1811 6c395d98-6c395d9a 1805->1811 1806->1807 1808 6c395d89 1807->1808 1809 6c395d62-6c395d69 call 6c39867d 1807->1809 1808->1811 1809->1805 1815 6c395d6b-6c395d74 call 6c39460a 1809->1815 1815->1805 1815->1807
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C395AA9,00000001,00000364,FFFFFFFF,000000FF,?,00000001,6C395D30,6C395C6D,?,?,6C395159), ref: 6C395D7F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 036a8f12ed8eafbb8c4345f490e22a9de68cd4ff5121506bedc283b113355333
                                                                                                                          • Instruction ID: 35af241dd2695e2ce5a622d5f39b4507034d9b0a60bc002dde589e93cb5bee2e
                                                                                                                          • Opcode Fuzzy Hash: 036a8f12ed8eafbb8c4345f490e22a9de68cd4ff5121506bedc283b113355333
                                                                                                                          • Instruction Fuzzy Hash: 56F0E0316465245AFB115E269C0CB5B375C9F827BAB144321D954D6970FB21D4818FE1

                                                                                                                          Non-executed Functions

                                                                                                                          Function 6C389E00 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 459COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: +u.m
                                                                                                                          • API String ID: 0-1011435857
                                                                                                                          • Opcode ID: a873bb2894f367d219cbf7a56b4a2c2de8ab72cf8ef0dac3aa1319fb0672fea5
                                                                                                                          • Instruction ID: 744fadb5bd173f941e7417462ff76383f37b5e353391f67caa54d5daea282d0e
                                                                                                                          • Opcode Fuzzy Hash: a873bb2894f367d219cbf7a56b4a2c2de8ab72cf8ef0dac3aa1319fb0672fea5
                                                                                                                          • Instruction Fuzzy Hash: 28E1F772A452018FDF08CE7CC9D57DEB7E6AB8A369F209219D511DB7D4C23B89098F60
                                                                                                                          Function 6C37DA00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 6C37DB03
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Xinvalid_argumentstd::_
                                                                                                                          • String ID: i/x$$string too long
                                                                                                                          • API String ID: 909987262-2993097445
                                                                                                                          • Opcode ID: 7ebadae80371f5e7672a1c5715f4a2288a72ffd0d7bc35893233d3859840366f
                                                                                                                          • Instruction ID: 44a4da2b0d50dbaa0feee5faaf0bb042ea0114e18c32647d7dd54cbd83b222c9
                                                                                                                          • Opcode Fuzzy Hash: 7ebadae80371f5e7672a1c5715f4a2288a72ffd0d7bc35893233d3859840366f
                                                                                                                          • Instruction Fuzzy Hash: 56413671A446418FCF04CD7CC1E53DE7BF6AB56324F105909C8519B786D22B8509CB7A
                                                                                                                          Function 6C39435C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C394454
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C39445E
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C39446B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                          • String ID: ,}9l
                                                                                                                          • API String ID: 3906539128-423982985
                                                                                                                          • Opcode ID: ddbc0e5be00c690f8465f706b81c14716d0bd4304391ad4fd5ef2938ca0c778e
                                                                                                                          • Instruction ID: 21ede8a25e45127bc8fe2300dc449c1ce13f997ec85a0834eb52be3e5abc693d
                                                                                                                          • Opcode Fuzzy Hash: ddbc0e5be00c690f8465f706b81c14716d0bd4304391ad4fd5ef2938ca0c778e
                                                                                                                          • Instruction Fuzzy Hash: 8831C37590122CABCB21DF69D988BCCBBB8BF08314F5042EAE41CA7350E7719B858F55
                                                                                                                          Function 6C391E62 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6C391E6E
                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6C391F3A
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C391F5A
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 6C391F64
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 254469556-0
                                                                                                                          • Opcode ID: b7e8d21cdbc6c76a594166e1abab9ad1f6a853b921ad0e4880d9a158d405382b
                                                                                                                          • Instruction ID: f34eef037ff59ba21787fd2d09f78843dee4b6e2939eda399306843f395c06aa
                                                                                                                          • Opcode Fuzzy Hash: b7e8d21cdbc6c76a594166e1abab9ad1f6a853b921ad0e4880d9a158d405382b
                                                                                                                          • Instruction Fuzzy Hash: F531F6B5D0521C9BDF10DFA5D989BCDBBB8BF08304F1041EAE449AB250EB719A89CF45
                                                                                                                          Function 6C38DFB0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 363COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: #
                                                                                                                          • API String ID: 0-2455148248
                                                                                                                          • Opcode ID: 21ce8a0ff1e79670ae426479320794bc8303a538bc3980126d21968fcc03241f
                                                                                                                          • Instruction ID: 65e4905f5b44ee30dbc8e691be6ab85d0a4faa7c52d6b9e6176d10b280e63569
                                                                                                                          • Opcode Fuzzy Hash: 21ce8a0ff1e79670ae426479320794bc8303a538bc3980126d21968fcc03241f
                                                                                                                          • Instruction Fuzzy Hash: A1C104BAA452058FDF04CEBCD9853DD7BF6AB8A324F144619D425AB790C33B85098FA1
                                                                                                                          Function 6C392038 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C39204E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2325560087-0
                                                                                                                          • Opcode ID: 978203005e80cd98d095737ab9b342fece56fbeb8aad4d156fcf3d77552d7d85
                                                                                                                          • Instruction ID: c02a49c0ff3096dc2b81ea68fd0cb34452f859ff78d44fa8d577c6c1072dda12
                                                                                                                          • Opcode Fuzzy Hash: 978203005e80cd98d095737ab9b342fece56fbeb8aad4d156fcf3d77552d7d85
                                                                                                                          • Instruction Fuzzy Hash: 4F51A0B1A01B168BEB55CF55D5867AEBBF4FB48318F24812AC515EB740E376D900CF90
                                                                                                                          Function 6C398360 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1864 6c398360-6c398374 1865 6c3983e2-6c3983ea 1864->1865 1866 6c398376-6c39837b 1864->1866 1868 6c3983ec-6c3983ef 1865->1868 1869 6c398431-6c398449 call 6c3984d1 1865->1869 1866->1865 1867 6c39837d-6c398382 1866->1867 1867->1865 1870 6c398384-6c398387 1867->1870 1868->1869 1872 6c3983f1-6c39842e call 6c395c47 * 4 1868->1872 1878 6c39844c-6c398453 1869->1878 1870->1865 1873 6c398389-6c398391 1870->1873 1872->1869 1876 6c3983ab-6c3983b3 1873->1876 1877 6c398393-6c398396 1873->1877 1883 6c3983cd-6c3983e1 call 6c395c47 * 2 1876->1883 1884 6c3983b5-6c3983b8 1876->1884 1877->1876 1880 6c398398-6c3983aa call 6c395c47 call 6c39a297 1877->1880 1881 6c398472-6c398476 1878->1881 1882 6c398455-6c398459 1878->1882 1880->1876 1892 6c398478-6c39847d 1881->1892 1893 6c39848e-6c39849a 1881->1893 1888 6c39845b-6c39845e 1882->1888 1889 6c39846f 1882->1889 1883->1865 1884->1883 1890 6c3983ba-6c3983cc call 6c395c47 call 6c39a395 1884->1890 1888->1889 1897 6c398460-6c39846e call 6c395c47 * 2 1888->1897 1889->1881 1890->1883 1900 6c39848b 1892->1900 1901 6c39847f-6c398482 1892->1901 1893->1878 1895 6c39849c-6c3984a7 call 6c395c47 1893->1895 1897->1889 1900->1893 1901->1900 1908 6c398484-6c39848a call 6c395c47 1901->1908 1908->1900
                                                                                                                          APIs
                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 6C3983A4
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A2B4
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A2C6
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A2D8
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A2EA
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A2FC
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A30E
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A320
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A332
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A344
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A356
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A368
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A37A
                                                                                                                            • Part of subcall function 6C39A297: _free.LIBCMT ref: 6C39A38C
                                                                                                                          • _free.LIBCMT ref: 6C398399
                                                                                                                            • Part of subcall function 6C395C47: HeapFree.KERNEL32(00000000,00000000,?,6C395159), ref: 6C395C5D
                                                                                                                            • Part of subcall function 6C395C47: GetLastError.KERNEL32(?,?,6C395159), ref: 6C395C6F
                                                                                                                          • _free.LIBCMT ref: 6C3983BB
                                                                                                                          • _free.LIBCMT ref: 6C3983D0
                                                                                                                          • _free.LIBCMT ref: 6C3983DB
                                                                                                                          • _free.LIBCMT ref: 6C3983FD
                                                                                                                          • _free.LIBCMT ref: 6C398410
                                                                                                                          • _free.LIBCMT ref: 6C39841E
                                                                                                                          • _free.LIBCMT ref: 6C398429
                                                                                                                          • _free.LIBCMT ref: 6C398461
                                                                                                                          • _free.LIBCMT ref: 6C398468
                                                                                                                          • _free.LIBCMT ref: 6C398485
                                                                                                                          • _free.LIBCMT ref: 6C39849D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 161543041-0
                                                                                                                          • Opcode ID: 3988328153b4b04a6ef9e996a3651ef214da385a960fa45e82b8b382fae9f95a
                                                                                                                          • Instruction ID: 305fedeb755ae811cf35d659fe8c152c3c0726160807416c159fa5fffef4b3a3
                                                                                                                          • Opcode Fuzzy Hash: 3988328153b4b04a6ef9e996a3651ef214da385a960fa45e82b8b382fae9f95a
                                                                                                                          • Instruction Fuzzy Hash: 9A313E316043009FEB15AE35D980F9A77E9AF8035AF24452BE4A5D7A50EB36E885CF12
                                                                                                                          Function 6C3957C3 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2045 6c3957c3-6c3957d6 2046 6c3957d8-6c3957e1 call 6c395c47 2045->2046 2047 6c3957e2-6c39588f call 6c395c47 * 9 call 6c3955ef call 6c39565a 2045->2047 2046->2047
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 1f59eb860ca85714d187093fba8bea436cd8901e983f624841e4f0dbae8dcfa0
                                                                                                                          • Instruction ID: f0ea82d4fb778f0a9c08d9a69b376d6182e30cf052f6143eb709401cc1abe552
                                                                                                                          • Opcode Fuzzy Hash: 1f59eb860ca85714d187093fba8bea436cd8901e983f624841e4f0dbae8dcfa0
                                                                                                                          • Instruction Fuzzy Hash: DA219A76900148BFCB45EF94C880DDD7BB9BF18246F004266E5569BA21EB31DA89CF81
                                                                                                                          Function 6C393A60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2406 6c393a60-6c393ab1 call 6c39c7b0 call 6c393a20 call 6c393ea7 2413 6c393b0d-6c393b10 2406->2413 2414 6c393ab3-6c393ac5 2406->2414 2415 6c393b30-6c393b39 2413->2415 2416 6c393b12-6c393b1f call 6c393e90 2413->2416 2414->2415 2417 6c393ac7-6c393ade 2414->2417 2422 6c393b24-6c393b2d call 6c393a20 2416->2422 2419 6c393ae0-6c393aee call 6c393e30 2417->2419 2420 6c393af4 2417->2420 2429 6c393af0 2419->2429 2430 6c393b04-6c393b0b 2419->2430 2421 6c393af7-6c393afc 2420->2421 2421->2417 2424 6c393afe-6c393b00 2421->2424 2422->2415 2424->2415 2427 6c393b02 2424->2427 2427->2422 2431 6c393b3a-6c393b43 2429->2431 2432 6c393af2 2429->2432 2430->2422 2433 6c393b7d-6c393b8d call 6c393e70 2431->2433 2434 6c393b45-6c393b4c 2431->2434 2432->2421 2440 6c393b8f-6c393b9e call 6c393e90 2433->2440 2441 6c393ba1-6c393bbd call 6c393a20 call 6c393e50 2433->2441 2434->2433 2436 6c393b4e-6c393b5d call 6c39c650 2434->2436 2442 6c393b7a 2436->2442 2443 6c393b5f-6c393b77 2436->2443 2440->2441 2442->2433 2443->2442
                                                                                                                          APIs
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C393A97
                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C393A9F
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C393B28
                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C393B53
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C393BA8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                          • String ID: 5 9l$csm
                                                                                                                          • API String ID: 1170836740-3467553150
                                                                                                                          • Opcode ID: 908991fda488a8ac094b6f374029138a5ba410bd4f2d2b6cd3a9e92af028f49c
                                                                                                                          • Instruction ID: 1862ec32cb03dda4d38341394246c5974dc92f046fb4e475f77a85e374087231
                                                                                                                          • Opcode Fuzzy Hash: 908991fda488a8ac094b6f374029138a5ba410bd4f2d2b6cd3a9e92af028f49c
                                                                                                                          • Instruction Fuzzy Hash: 2D41B1B0A012199BCF40CF68C880ADEBBB5AF46318F148155E9199BB51E732A915CF92
                                                                                                                          Function 6C397288 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2452 6c397288-6c397294 2453 6c39733b-6c39733e 2452->2453 2454 6c397299-6c3972aa 2453->2454 2455 6c397344 2453->2455 2457 6c3972ac-6c3972af 2454->2457 2458 6c3972b7-6c3972d0 LoadLibraryExW 2454->2458 2456 6c397346-6c39734a 2455->2456 2459 6c397338 2457->2459 2460 6c3972b5 2457->2460 2461 6c397322-6c39732b 2458->2461 2462 6c3972d2-6c3972db GetLastError 2458->2462 2459->2453 2466 6c397334-6c397336 2460->2466 2465 6c39732d-6c39732e FreeLibrary 2461->2465 2461->2466 2463 6c3972dd-6c3972ef call 6c395563 2462->2463 2464 6c397312 2462->2464 2463->2464 2472 6c3972f1-6c397303 call 6c395563 2463->2472 2468 6c397314-6c397316 2464->2468 2465->2466 2466->2459 2469 6c39734b-6c39734d 2466->2469 2468->2461 2471 6c397318-6c397320 2468->2471 2469->2456 2471->2459 2472->2464 2475 6c397305-6c397310 LoadLibraryExW 2472->2475 2475->2468
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: YQ9l$api-ms-$ext-ms-
                                                                                                                          • API String ID: 0-4063487603
                                                                                                                          • Opcode ID: b0b593e7824f2ab66b3aed3593bc2c496e8ec6145a2e57f53c24fb4b594661b6
                                                                                                                          • Instruction ID: c2631845f7d153b6a3b5fcc3d85f92c1620531334883881e81fb90960bb6f315
                                                                                                                          • Opcode Fuzzy Hash: b0b593e7824f2ab66b3aed3593bc2c496e8ec6145a2e57f53c24fb4b594661b6
                                                                                                                          • Instruction Fuzzy Hash: B321A831B06211E7DB218A258CC1A5A376CAB43768B590611EC55A76C1F731DC418EE1
                                                                                                                          Function 6C3965CD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2476 6c3965cd-6c3965d8 2477 6c3965e9-6c3965ef 2476->2477 2478 6c3965da-6c3965e4 call 6c3966bb 2476->2478 2480 6c3965f1-6c3965f7 2477->2480 2481 6c396616-6c39662b call 6c39705b 2477->2481 2488 6c396691-6c396693 2478->2488 2484 6c3965f9-6c396604 call 6c396694 2480->2484 2485 6c39660a-6c396614 2480->2485 2491 6c39662d-6c396641 GetLastError call 6c395cf5 call 6c395d2b 2481->2491 2492 6c396643-6c39664a 2481->2492 2484->2485 2486 6c396690 2484->2486 2485->2486 2486->2488 2491->2486 2494 6c396658-6c396671 call 6c39705b 2492->2494 2495 6c39664c-6c396656 call 6c396694 2492->2495 2502 6c396689-6c39668d 2494->2502 2503 6c396673-6c396687 GetLastError call 6c395cf5 call 6c395d2b 2494->2503 2495->2494 2505 6c39668f 2495->2505 2502->2505 2503->2505 2505->2486
                                                                                                                          Strings
                                                                                                                          • [g9l, xrefs: 6C39661E
                                                                                                                          • C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe, xrefs: 6C3965D2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe$[g9l
                                                                                                                          • API String ID: 0-1132396730
                                                                                                                          • Opcode ID: c6095470ec554fcaccb405a7ac969a8fe04d895fdffe1accd1cb9209776af2b0
                                                                                                                          • Instruction ID: e56628346f027cc61911fd81b823ad0efd412a471fd7b4ea1c9c94e20a3a48ad
                                                                                                                          • Opcode Fuzzy Hash: c6095470ec554fcaccb405a7ac969a8fe04d895fdffe1accd1cb9209776af2b0
                                                                                                                          • Instruction Fuzzy Hash: 96219D71605209EFDB409F6A8C8099BB7BCAF413AC7054629F958D7A50FB32EC458FE1
                                                                                                                          Function 6C39A436 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6C39A3FE: _free.LIBCMT ref: 6C39A423
                                                                                                                          • _free.LIBCMT ref: 6C39A484
                                                                                                                            • Part of subcall function 6C395C47: HeapFree.KERNEL32(00000000,00000000,?,6C395159), ref: 6C395C5D
                                                                                                                            • Part of subcall function 6C395C47: GetLastError.KERNEL32(?,?,6C395159), ref: 6C395C6F
                                                                                                                          • _free.LIBCMT ref: 6C39A48F
                                                                                                                          • _free.LIBCMT ref: 6C39A49A
                                                                                                                          • _free.LIBCMT ref: 6C39A4EE
                                                                                                                          • _free.LIBCMT ref: 6C39A4F9
                                                                                                                          • _free.LIBCMT ref: 6C39A504
                                                                                                                          • _free.LIBCMT ref: 6C39A50F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                          • Instruction ID: bf4fddf3d5ed6ba3bcec592762545a135ee8c3e5aefc23cfed5bb04ff264fcd2
                                                                                                                          • Opcode Fuzzy Hash: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                          • Instruction Fuzzy Hash: 4E119331990B04BAE521AFB0CC45FDB77DDDF0870AF800A15A2DA66A50FB39B5894F52
                                                                                                                          Function 6C394AC7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C394A79,?,?,6C394A41,?,00000001,?), ref: 6C394ADC
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C394AEF
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,6C394A79,?,?,6C394A41,?,00000001,?), ref: 6C394B12
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                          • String ID: 5 9l$CorExitProcess$mscoree.dll
                                                                                                                          • API String ID: 4061214504-2806451156
                                                                                                                          • Opcode ID: 3ef8662e9559013a74f02e5511570feb7a25e1e3fbcb83caca157a1f8acdef99
                                                                                                                          • Instruction ID: 59550357a7c1ab83e4188f8eae87ee22650761db5110a58b47dd48a95a27cfe6
                                                                                                                          • Opcode Fuzzy Hash: 3ef8662e9559013a74f02e5511570feb7a25e1e3fbcb83caca157a1f8acdef99
                                                                                                                          • Instruction Fuzzy Hash: B3F01C31605219FBDF019F51CD0ABDE7B79FB0275AF114060F411A2650EB3A8A11DED1
                                                                                                                          Function 6C39954F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6C399597
                                                                                                                          • __fassign.LIBCMT ref: 6C39977C
                                                                                                                          • __fassign.LIBCMT ref: 6C399799
                                                                                                                          • WriteFile.KERNEL32(?,6C397D79,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C3997E1
                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C399821
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C3998C9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1735259414-0
                                                                                                                          • Opcode ID: 5efef58de990b38f44bf62d0f4697a751b1d0c893334f4f689cf896003f555eb
                                                                                                                          • Instruction ID: 3fa48b1efb33e38873109c580d0cd0daaed3c3d0801536d0f39d5bfe5e56a136
                                                                                                                          • Opcode Fuzzy Hash: 5efef58de990b38f44bf62d0f4697a751b1d0c893334f4f689cf896003f555eb
                                                                                                                          • Instruction Fuzzy Hash: 4DC18F71D052589FDB10CFA8C8809EDBBB9AF49318F28416AE859BB741E7319946CF60
                                                                                                                          Function 6C393F37 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00000001,?,6C393C05,6C391C38,6C3915FF,?,6C391837,?,00000001,?,?,00000001,?,6C3A2908,0000000C,6C391930), ref: 6C393F45
                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C393F53
                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C393F6C
                                                                                                                          • SetLastError.KERNEL32(00000000,6C391837,?,00000001,?,?,00000001,?,6C3A2908,0000000C,6C391930,?,00000001,?), ref: 6C393FBE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3852720340-0
                                                                                                                          • Opcode ID: 2134256c09e9f00592e8b7278af412a88981fa4a5ff93e97aa44f97dc0486469
                                                                                                                          • Instruction ID: c408a3542396f6285db1e163a88d66c14ec1e515b80949be24b371ab8ce864cb
                                                                                                                          • Opcode Fuzzy Hash: 2134256c09e9f00592e8b7278af412a88981fa4a5ff93e97aa44f97dc0486469
                                                                                                                          • Instruction Fuzzy Hash: 0B012DB220D3125DA6910975BC44596277AE74237C320032AF17E47BD0FF53880D5A45
                                                                                                                          Function 6C3940B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,6C394174,00000000,?,00000001,00000000,?,6C3941EB,00000001,FlsFree,6C39E364,FlsFree,00000000), ref: 6C394143
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLibrary
                                                                                                                          • String ID: api-ms-
                                                                                                                          • API String ID: 3664257935-2084034818
                                                                                                                          • Opcode ID: e9198de3dcc9333959e1931dcb4b225801b3bd5325392b465d8e33b2c47890bc
                                                                                                                          • Instruction ID: 81733b33444c8e03871a7542b8349b0dceace6d5e82a6d95825193e4af4e716a
                                                                                                                          • Opcode Fuzzy Hash: e9198de3dcc9333959e1931dcb4b225801b3bd5325392b465d8e33b2c47890bc
                                                                                                                          • Instruction Fuzzy Hash: 8C11C232B45621ABDF229E699C41B8933B8AF02778F150210E924E7780F722E9009ED2
                                                                                                                          Function 6C39A395 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 6C39A3AD
                                                                                                                            • Part of subcall function 6C395C47: HeapFree.KERNEL32(00000000,00000000,?,6C395159), ref: 6C395C5D
                                                                                                                            • Part of subcall function 6C395C47: GetLastError.KERNEL32(?,?,6C395159), ref: 6C395C6F
                                                                                                                          • _free.LIBCMT ref: 6C39A3BF
                                                                                                                          • _free.LIBCMT ref: 6C39A3D1
                                                                                                                          • _free.LIBCMT ref: 6C39A3E3
                                                                                                                          • _free.LIBCMT ref: 6C39A3F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 0860ec4debf1c55fff2f4492c1cca82cf918f116b1bf52da0374938ad0aa0ba5
                                                                                                                          • Instruction ID: 00cae0de668156d054f9331961b308e9d1f008c28ff3029ad3689b7515a03b38
                                                                                                                          • Opcode Fuzzy Hash: 0860ec4debf1c55fff2f4492c1cca82cf918f116b1bf52da0374938ad0aa0ba5
                                                                                                                          • Instruction Fuzzy Hash: 99F04F31A052449B8A54EE59E5C4C5A7BEEEB056167700906E0A9D7E40EB31F8C18F90
                                                                                                                          Function 6C399DBC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6C39954F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6C399597
                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6C397D79,?,00000000,00000000,6C3A2BB8,0000002C,6C397DEA,?), ref: 6C399F02
                                                                                                                          • GetLastError.KERNEL32 ref: 6C399F0C
                                                                                                                          • __dosmaperr.LIBCMT ref: 6C399F4B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                                                                                          • String ID: }9l
                                                                                                                          • API String ID: 910155933-1039555260
                                                                                                                          • Opcode ID: 4b44954f2e94021517d0fb7e7f7147178af9d2bf9c0ea843dc7928d727a8d3df
                                                                                                                          • Instruction ID: 2218cc9faf668645b9b3259267174a7ab49645865c69892f29f432efdfffa7c4
                                                                                                                          • Opcode Fuzzy Hash: 4b44954f2e94021517d0fb7e7f7147178af9d2bf9c0ea843dc7928d727a8d3df
                                                                                                                          • Instruction Fuzzy Hash: 1351C271E01309AFDB11CFA9C844BDEBBB8EF46319F140145E44AA7A50F732D9858FA1
                                                                                                                          Function 6C394B55 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\1019352001\im2o0Q8.exe$p1r
                                                                                                                          • API String ID: 0-544500713
                                                                                                                          • Opcode ID: 525673302e99ba9626e930986c3fcfbeb114728f1fab7c3cdf2e0d2a9eb5ec4c
                                                                                                                          • Instruction ID: bdeb53fb79b344fc83787cfb024eb10df5015d621ce6bba0b9c019dee5e5dcc6
                                                                                                                          • Opcode Fuzzy Hash: 525673302e99ba9626e930986c3fcfbeb114728f1fab7c3cdf2e0d2a9eb5ec4c
                                                                                                                          • Instruction Fuzzy Hash: F2418471A00259BFDB11EF999880E9EBBBCEB8A318B100156E464A7710F7718A44CFA1
                                                                                                                          Function 6C392A20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RaiseException.KERNEL32(E06D7363,00000001,00000003,?,-00000001,?,6C39232A,?,6C3A2978,?,?,?,6C37DB08), ref: 6C392A80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionRaise
                                                                                                                          • String ID: *#9l$5 9l$x):l
                                                                                                                          • API String ID: 3997070919-1178734790
                                                                                                                          • Opcode ID: af2085c98740675bb58d2b1b5725fb1ea87b31465656f40329b2d61a9803a422
                                                                                                                          • Instruction ID: 5b75cf8fa73cc2f3d233eea54545009f09c7d720e1aa4f18cae983ac1f025eae
                                                                                                                          • Opcode Fuzzy Hash: af2085c98740675bb58d2b1b5725fb1ea87b31465656f40329b2d61a9803a422
                                                                                                                          • Instruction Fuzzy Hash: 4F01A736A006089FCB019F58C944B9EBBB8FF45704F124059E9149B350EB72DE01CF90
                                                                                                                          Function 6C395907 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,6C399997,?,00000001,6C397DEA,?,6C399E51,00000001,?,?,?,6C397D79,?,00000000), ref: 6C39590C
                                                                                                                          • _free.LIBCMT ref: 6C395969
                                                                                                                          • _free.LIBCMT ref: 6C39599F
                                                                                                                          • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6C399E51,00000001,?,?,?,6C397D79,?,00000000,00000000,6C3A2BB8,0000002C,6C397DEA), ref: 6C3959AA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: dc5d704490218acc6bcc7edea665627a287d09991ed3b2a5220e7568122245eb
                                                                                                                          • Instruction ID: 73e127a772f10f6eed20684b98c621bbaebc4c00d49fe317586d7ec141a79013
                                                                                                                          • Opcode Fuzzy Hash: dc5d704490218acc6bcc7edea665627a287d09991ed3b2a5220e7568122245eb
                                                                                                                          • Instruction Fuzzy Hash: 7A11E3322056056BBA5116795C80E6A366E9FC667EB240325F26086AD1FB7388894F21
                                                                                                                          Function 6C395A5E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,00000001,6C395D30,6C395C6D,?,?,6C395159), ref: 6C395A63
                                                                                                                          • _free.LIBCMT ref: 6C395AC0
                                                                                                                          • _free.LIBCMT ref: 6C395AF6
                                                                                                                          • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,00000001,6C395D30,6C395C6D,?,?,6C395159), ref: 6C395B01
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: c45441161a792e691012a09e35fc08836abfa374406cf4a1f9efa370f4614038
                                                                                                                          • Instruction ID: d251ea533582ecaf3508ffcc79736c24904d2e6e177cf9acf4a2a888892dc991
                                                                                                                          • Opcode Fuzzy Hash: c45441161a792e691012a09e35fc08836abfa374406cf4a1f9efa370f4614038
                                                                                                                          • Instruction Fuzzy Hash: 5F11C2323046152AAA5259799CC0E6A356EAFC667E7340325F624C6AC1FB7388494F29
                                                                                                                          Function 6C39ABE6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6C39A640,?,00000001,?,00000001,?,6C399926,?,?,00000001), ref: 6C39ABFD
                                                                                                                          • GetLastError.KERNEL32(?,6C39A640,?,00000001,?,00000001,?,6C399926,?,?,00000001,?,00000001,?,6C399E72,6C397D79), ref: 6C39AC09
                                                                                                                            • Part of subcall function 6C39ABCF: CloseHandle.KERNEL32(FFFFFFFE,6C39AC19,?,6C39A640,?,00000001,?,00000001,?,6C399926,?,?,00000001,?,00000001), ref: 6C39ABDF
                                                                                                                          • ___initconout.LIBCMT ref: 6C39AC19
                                                                                                                            • Part of subcall function 6C39AB91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C39ABC0,6C39A62D,00000001,?,6C399926,?,?,00000001,?), ref: 6C39ABA4
                                                                                                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6C39A640,?,00000001,?,00000001,?,6C399926,?,?,00000001,?), ref: 6C39AC2E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2744216297-0
                                                                                                                          • Opcode ID: 6682ff4960ce389d90c8f7652f02a7dca5bb197405ee0bf525219b769e4353a8
                                                                                                                          • Instruction ID: c56ae66d11cefaca0217c8b408ead7e9c726193f270c05f1ec797f814091e1f2
                                                                                                                          • Opcode Fuzzy Hash: 6682ff4960ce389d90c8f7652f02a7dca5bb197405ee0bf525219b769e4353a8
                                                                                                                          • Instruction Fuzzy Hash: D8F0AC36600118BBCF622F95DC09DDA3F7AEB4A7A5B044111FA5896620EB338C20DF91
                                                                                                                          Function 6C399430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6C3992EF: EnterCriticalSection.KERNEL32(00000001,?,6C399D2E,?,6C3A2C58,00000010,6C397E8D,00000000,00000000,?,?,?,?,6C397ED1,?,00000000), ref: 6C39930A
                                                                                                                          • FlushFileBuffers.KERNEL32(00000000,6C3A2C38,0000000C,6C399537,}9l,?,00000001,?,6C397DEA,?), ref: 6C399479
                                                                                                                          • GetLastError.KERNEL32 ref: 6C39948A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000008.00000002.2585863610.000000006C351000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C350000, based on PE: true
                                                                                                                          • Associated: 00000008.00000002.2585813917.000000006C350000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2585966387.000000006C39D000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586070950.000000006C3A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          • Associated: 00000008.00000002.2586167420.000000006C3EE000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_8_2_6c350000_im2o0Q8.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                                                                                          • String ID: }9l
                                                                                                                          • API String ID: 4109680722-1039555260
                                                                                                                          • Opcode ID: b3cab0ca216b791222c84d088f1efdbe4f22d97ef272f8b04f320a7b284a296c
                                                                                                                          • Instruction ID: 61359d20c679ad43b60102a772a9f79eb04c5619f1e1d3540e81612b75c5f87c
                                                                                                                          • Opcode Fuzzy Hash: b3cab0ca216b791222c84d088f1efdbe4f22d97ef272f8b04f320a7b284a296c
                                                                                                                          • Instruction Fuzzy Hash: B601B172A003149FC714EFA8D845A8D7BB4EF4A728F20821AE455DB7D0FB75D8428F41